Automatic Script Updater

[Bart Cerneels]

On Sun, Nov 8, 2009 at 19:54, Frank Karlitschek <karlitschek at kde.org> wrote:
> On 08.10.2009, at 16:40, Bart Cerneels wrote:
>
>> On Thu, Oct 8, 2009 at 16:12, Mark Kretschmann <kretschmann at kde.org>
>> wrote:
>>>>
>>>> On Thursday 08 October 2009 09:58:13 Sven Krohlas wrote:
>>>>>>
>>>>>> I don't think third-party scripts should be a part of this system. Who
>>>>>> signs them off? By definition not us, as they are 3rd-party. We can't
>>>>>> be
>>>>>> the gateway for all 3rd-party script updates. But we don't want to
>>>>>> allow
>>>>>> random developers to inject code in amarok ad-hoc.
>>>>>
>>>>> we can sign the keys of "trustworthy" (a term that has to be defined
>>>>> then)
>>>>> script developers. This way we don't have to sign each and every update
>>>>> but
>>>>> just have to verify that the key used to sign an update was signed by
>>>>> our
>>>>>  key. The script package would need to contain the public key and our
>>>>>  signature for it then.
>>>>>
>>>>> Trustworthy could be someone
>>>>> * we know personally
>>>>> * has given good contributions to the community for some time
>>>>> * we know the real identity of
>>>>> or something like that.
>>>
>>> Sorry, but "trustworthy" would never work in real life. Who wants to
>>> take responsibility?
>>>
>>> Let's say that you trust me in general. In reality you would only
>>> trust me with certain things, e.g. fetching ice cream, programming UI
>>> code, whatever. But you would not trust me to do a medical checkup on
>>> you.
>>>
>>> Even if you did trust me with medicine, I could screw up. The same
>>> applies to 3rd party contributors, as an analogy.
>>>
>>
>> I don't think we should bother with signing 3rd party scripts, I would
>> rather have support for this in opendesktop and GHNS. And when that
>> does we have to use those for our own updates as well. But until then
>> we can use the proposed system.
>>
>> People already put their trust in the scriptwriters by installing over
>> GHNS or directly from kde-apps.org. Just add signatures to that for
>> auto updating and we have our infrastructure.
>>
>> A feature request for opendesktop.org: Perhaps we can use our personal
>> keys to sign a script or have it signed by the amarok-developers group
>> key. Because I fear the weakest link is the private key and password
>> we have to either share or assign to one person.
>>
>> Adding all our default scripts to kde-apps is a good idea anyway since
>> it's free publicity. And when they are updated there are automatic
>> notifications via the various channels opendesktop.org has.
>>
>> CC'ed a few interested parties. Don't forget to CC them if necessary.
>>
>> Bart
>
>
>
> Sorry for the late reply.
>
> It is quite clear that we need a security system for scripts on GHNS.
> Signing the Scripts with the key of the uploader/developer is of course
> possible but doesn´t solve the real problem.
> As long as everybody can upload a script to openDesktop.org and users can
> download it the signing doesn´t give as any security that the script is
> safe.

Just a clarification: I meant the signed downloads are used to offer
automatic updates of scripts hosted on freedesktop.org where the user
has already decided to trust the author.
This trusting should be explicit and very clearly explained in the
GHNS dialog and is a requirement to enable automatic updates for that
specific script.

If there ever is a change of maintainership of FD.o hosted signed
content (feature request), the user should be notified and asked for
his trust of this new maintainer for that specific script.

>
> What we also need is some kind of trust system on the server. Something like
> this developer is already a contributor for some time, developed several
> other scripts already, has a high rating and got reviewed but other people
> with a high trust level. So the script has a high trust level.

I think we could agree that the trust or recommendation system is
insufficient for automatic updates. But for one-time downloads or the
first time auto-update content is downloaded: sure.

>
> With this system we can mark the scripts with different trust level.
> I plan do develop a system like this in the future. But this is not done in
> a week so i need some time.
>
> I hope this improves the security for Amarok.
>
> What do you think?
>
> Cheers
> Frank
>
>
>
> --
> Frank Karlitschek
> karlitschek at kde.org
>
>
>
>
>