On Thu, Mar 15, 2012 at 12:09 AM, David Chan <dc...@mozilla.com> wrote: > Thanks for reviewing the wiki. I'll add your concerns to that section. If I'm > understanding correctly, you are arguing for a flat "hierarchy", peers in the > debian sense.
absolutely. the analogy is "entries in /etc/apt/sources.list". >The analogous idea in the B2G world would be that Mozilla, > telcos, company foo could all run their own stores. yes. > If a user doesn't like > the policies of the existing stores, they can start their own. yes! and, as you can see from the ... the gpg-keyring thing, they would need to create one of those, keep the private key ultra-secure, sign all packages etc. etc. but if people don't _want_ to trust the (new) store, they just... don't install the keyring, and don't modify /etc/apt/sources.list. simple. > However, > there wouldn't be a way for Mozilla to say, "I trust store bar" so I'm > going to give them the same privileges as me. yes there is: they have a (preinstalled?) app which adds extra entries to /etc/apt/sources.list (which could be done very easily now by actually installing an entry into /etc/apt/sources.list/d) and also what they do is they sign the *initial* gpg-keyring package for the new store.... with *their* key :) so it is actually possible to "delegate" trust to a new store, through this method... but... it makes me nervous :) if the new store wants to "take over" and become independent, what they do is they make two new packages with "Replaces" in the debian package specification file, which say: "Replaces: mozilla-gpg-keyring-delegating-to-store-foo" "Replaces: mozilla-sources-list-for-store-foo" but obviously these two packages would now contain *their* HTTP store location and *their* GPG keyring... signed with their own GPG private key. er :) whereas the older one was *their* GPG keyring package signed by *mozilla*'s private key. > The "peer" model sounds find to me. It still allows multiple stores. *sigh* and delegation (through the above hack) > The > selfhost issue Jonas brought up doesn't seem to apply if the packages > are signed. self-host... selfhost... i'm lost. sorry. do you have a reference (wiki URL) which explains? > I could host my own app and have it on the store at the same > time. There is still the question of granting permissions. I'm not sure > if the store is the proper entity to decide whether an app can obtain > permission X/Y/Z. *deep breath*.... :) the permissions need to be codified in some format (text file?) which is incorporated into the OS once they're downloaded, unpacked and installed. however because those permissions *are* just "a text file", they *can* be included.... as part of the GPG-signed package (by the developer) :) not only that, but prior to the FTP Masters letting it out the door, they can review the permissions file. if the permissions are ridiculously over-permissive, the FTP Masters really should not sign the package. meaning, it wouldn't get released. which, unfortunately, makes the people managing the store the equivalent of "apple". whoops. but, there you go. it seems to work for debian, but that's because they have 1,000 people with a ring-of-trust, and those 1,000 people are often *not* the developers of the package. they have some free time to give, and a reputation to maintain. ultimately, the _store_ doesn't decide... but a human does. l. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
