On 8/22/07, Jesse Keating jkeating@redhat.com wrote:
On Wed, 22 Aug 2007 14:02:47 -0400 David Zeuthen davidz@redhat.com wrote:
To me, that's totally not what Colin is suggesting. In fact, there are things in his mail that actually suggests to *improve* security such as replacing, IMO, useless dialogs like "Import this GPG key: <hexnumber>" to something more useful (his proposal about timeouts). See also my other mail about asking better questions like "Import this GPG key: <hexnumber>".
I got from it that he just wants to do away with the question entirely. I'm having a hard time figuring out where you guys want to go. In one hand you say you don't want dialogs at all that ask people to think or even respond, it just does things. On the other you say as soon as you allow installing software that is outside of the repos we ship, the jig is up and we shouldn't care about any sort of security form that point on. I'm lost :(
You are missing the fact that the action we take without asking the user doesn't have to be "accept" it can be "deny". And "deny" doesn't mean that "we're taking capabilities away from the user", it means "people are forced to think about how this really should have worked". Asking the user is usually a cop-out for bad design and laziness.
For example, imagine that we enhance our system so that so anyone can have a one click link on their website to add their GPG key and yum repository, and we've done the work so:
A) The information displayed to the user has been audited to be accurate B) We provide some sort of reputation system displayed right along with the question so that you have a basis for an informed decision C) We check that you are downloading the information over a secure channel
Then Livna can put such a link on their web site along with instructions. And it works out vastly better rather than asking someone if they like a hex string or not.
- Owen