Automatic Script Updater

[Mark Kretschmann]

On Sun, Nov 8, 2009 at 7:54 PM, Frank Karlitschek <karlitschek at kde.org> wrote:
> On 08.10.2009, at 16:40, Bart Cerneels wrote:
>> On Thu, Oct 8, 2009 at 16:12, Mark Kretschmann <kretschmann at kde.org>
>> wrote:
>>>> On Thursday 08 October 2009 09:58:13 Sven Krohlas wrote:
>>>>>> I don't think third-party scripts should be a part of this
>>>>>> system. Who
>>>>>> signs them off? By definition not us, as they are 3rd-party. We
>>>>>> can't be
>>>>>> the gateway for all 3rd-party script updates. But we don't want
>>>>>> to allow
>>>>>> random developers to inject code in amarok ad-hoc.
>>>>>
>>>>> we can sign the keys of "trustworthy" (a term that has to be
>>>>> defined then)
>>>>> script developers. This way we don't have to sign each and every
>>>>> update but
>>>>> just have to verify that the key used to sign an update was
>>>>> signed by our
>>>>>  key. The script package would need to contain the public key and
>>>>> our
>>>>>  signature for it then.
>>>>>
>>>>> Trustworthy could be someone
>>>>> * we know personally
>>>>> * has given good contributions to the community for some time
>>>>> * we know the real identity of
>>>>> or something like that.
>>>
>>> Sorry, but "trustworthy" would never work in real life. Who wants to
>>> take responsibility?
>>>
>>> Let's say that you trust me in general. In reality you would only
>>> trust me with certain things, e.g. fetching ice cream, programming UI
>>> code, whatever. But you would not trust me to do a medical checkup on
>>> you.
>>>
>>> Even if you did trust me with medicine, I could screw up. The same
>>> applies to 3rd party contributors, as an analogy.
>>
>> I don't think we should bother with signing 3rd party scripts, I would
>> rather have support for this in opendesktop and GHNS. And when that
>> does we have to use those for our own updates as well. But until then
>> we can use the proposed system.
>>
>> People already put their trust in the scriptwriters by installing over
>> GHNS or directly from kde-apps.org. Just add signatures to that for
>> auto updating and we have our infrastructure.
>>
>> A feature request for opendesktop.org: Perhaps we can use our personal
>> keys to sign a script or have it signed by the amarok-developers group
>> key. Because I fear the weakest link is the private key and password
>> we have to either share or assign to one person.
>>
>> Adding all our default scripts to kde-apps is a good idea anyway since
>> it's free publicity. And when they are updated there are automatic
>> notifications via the various channels opendesktop.org has.
>>
>> CC'ed a few interested parties. Don't forget to CC them if necessary.
>
> Sorry for the late reply.
>
> It is quite clear that we need a security system for scripts on GHNS.
> Signing the Scripts with the key of the uploader/developer is of
> course possible but doesn´t solve the real problem.
> As long as everybody can upload a script to openDesktop.org and users
> can download it the signing doesn´t give as any security that the
> script is safe.
>
> What we also need is some kind of trust system on the server.
> Something like this developer is already a contributor for some time,
> developed several other scripts already, has a high rating and got
> reviewed but other people with a high trust level. So the script has a
> high trust level.
>
> With this system we can mark the scripts with different trust level.
> I plan do develop a system like this in the future. But this is not
> done in a week so i need some time.
>
> I hope this improves the security for Amarok.
>
> What do you think?

Sorry, but I don't think a trust system alone would cut it. For a
minute, just assume that you would "trust" me somehow on a certain
technical level. Then I'd use this trust, but I would make one bad
call (maybe because I'm not as good as you expected, or because I had
a bad day), and then a serious malware component slips through our net
of trust.

What would that make me then? It would make me a person who screwed
something up very badly. So I wouldn't want to have any trust or
responsibility in the first place. Who would?

What I'd rather see is something we had talked about a long time ago:
All scripts on kde-apps.org (reachable via GHNS) must be hosted in a
public version control system. This system could e.g. be SVN (it's
easy for newbies). The server could be hosted by KDE, by Frank, or by
another party. Let me explain what advantages I expect from this
approach:

*
An end to "abandonware": This problem has plagued us from day one:
Author A releases script A1. Author A gets lost in static. Author B
comes, copies the source of A1, releases a separate script called B1.
Rinse, repeat. With a version control system, author B could take up
maintainership of A1, without forking the actual code. Much better.

*
Increased security by more eyes and better accountability: If code is
publicly hosted in a VCS, then someone boldly goes and adds a commit
to it that contains malware, two things would happen: 1) Someone might
actually notice the bad change, before it's too late. 2) We could
exactly tell who added this change, and when the person did it. This
should provide quite a barrier for such attempts.

*
We programmers could all review the bulk of code more easily, without
downloading each script and each specific version of it. Right now I
download approximately two scripts per month and take a quick look at
the code. With a public repository, I could see myself browsing it
more often, if only to kill some time. Easy access would automatically
provide us with some level of code review.


Thanks for listening.
I would love to hear further comments about this proposal :)

-- 
Mark Kretschmann
Amarok Developer
www.kde.org - amarok.kde.org