review: https://wiki.mozilla.org/Apps/Security#Trusted_store_with_permissions_delegation
(thank you to david for documenting this stuff, yeah!) "A store (parent) may permit a trusted store (child) to grant a subset of parent's permissions" no. this is a very bad idea. ok. maybe it is, maybe it isn't, but it has a couple of implications which need to be considered. * delegation implicitly means that you have a hierarchical permissions system. hierarchical permissions systems have a bit of a problem in that once the genie is out of the bottle, you can't really get it back in. this is why the FLASK security model is *NOT* based on "hierarchical permissions". delegation is fundamentally and diametrically opposed to the principles behind FLASK (although you could theoretically express a hierarchical permissions system _using_ SE/Linux, if you really really wanted to). * thinking from the perspective of debian package maintenance, you don't see them "delegating", do you? in 20 years, nobody's come up with the idea of "delegating" package maintenance. it's simply not needed. why? because... * ...there is the concept of adding *peer* stores (in debian packaging terms). take a look at http://debian-multimedia.org. note on there, it says, "The first package to install is debian-multimedia-keyring. Since Squeeze you can install this package with apt-get but you need to presse Y when the package ask what to do and do not press return." * then there are mirrors. mirrors just copy pre-signed packages. you don't need to "delegate", you just... do it. they're signed. they've been vetted. there's no problem. they're tamper-resistant. l. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
