Automatic Script Updater

[Frank Karlitschek]

On 08.10.2009, at 16:40, Bart Cerneels wrote:

> On Thu, Oct 8, 2009 at 16:12, Mark Kretschmann <kretschmann at kde.org>  
> wrote:
>>> On Thursday 08 October 2009 09:58:13 Sven Krohlas wrote:
>>>>> I don't think third-party scripts should be a part of this  
>>>>> system. Who
>>>>> signs them off? By definition not us, as they are 3rd-party. We  
>>>>> can't be
>>>>> the gateway for all 3rd-party script updates. But we don't want  
>>>>> to allow
>>>>> random developers to inject code in amarok ad-hoc.
>>>>
>>>> we can sign the keys of "trustworthy" (a term that has to be  
>>>> defined then)
>>>> script developers. This way we don't have to sign each and every  
>>>> update but
>>>> just have to verify that the key used to sign an update was  
>>>> signed by our
>>>>  key. The script package would need to contain the public key and  
>>>> our
>>>>  signature for it then.
>>>>
>>>> Trustworthy could be someone
>>>> * we know personally
>>>> * has given good contributions to the community for some time
>>>> * we know the real identity of
>>>> or something like that.
>>
>> Sorry, but "trustworthy" would never work in real life. Who wants to
>> take responsibility?
>>
>> Let's say that you trust me in general. In reality you would only
>> trust me with certain things, e.g. fetching ice cream, programming UI
>> code, whatever. But you would not trust me to do a medical checkup on
>> you.
>>
>> Even if you did trust me with medicine, I could screw up. The same
>> applies to 3rd party contributors, as an analogy.
>>
>
> I don't think we should bother with signing 3rd party scripts, I would
> rather have support for this in opendesktop and GHNS. And when that
> does we have to use those for our own updates as well. But until then
> we can use the proposed system.
>
> People already put their trust in the scriptwriters by installing over
> GHNS or directly from kde-apps.org. Just add signatures to that for
> auto updating and we have our infrastructure.
>
> A feature request for opendesktop.org: Perhaps we can use our personal
> keys to sign a script or have it signed by the amarok-developers group
> key. Because I fear the weakest link is the private key and password
> we have to either share or assign to one person.
>
> Adding all our default scripts to kde-apps is a good idea anyway since
> it's free publicity. And when they are updated there are automatic
> notifications via the various channels opendesktop.org has.
>
> CC'ed a few interested parties. Don't forget to CC them if necessary.
>
> Bart



Sorry for the late reply.

It is quite clear that we need a security system for scripts on GHNS.
Signing the Scripts with the key of the uploader/developer is of  
course possible but doesn´t solve the real problem.
As long as everybody can upload a script to openDesktop.org and users  
can download it the signing doesn´t give as any security that the  
script is safe.

What we also need is some kind of trust system on the server.  
Something like this developer is already a contributor for some time,  
developed several other scripts already, has a high rating and got  
reviewed but other people with a high trust level. So the script has a  
high trust level.

With this system we can mark the scripts with different trust level.
I plan do develop a system like this in the future. But this is not  
done in a week so i need some time.

I hope this improves the security for Amarok.

What do you think?

Cheers
Frank



--
Frank Karlitschek
karlitschek at kde.org