On Wed, Nov 13, 2002 at 05:22:29PM -0600, Edgar Friendly wrote: > I agree that distribution of node references is bad to do in a > centralized manner; I wasn't arguing against that. I'm just thinking > that the people who can't d/l fred off fp.org will just get it a > different way themselves.
And this is just such a "different way". > As for people who already have fred; just have the developers(tm) > author a freesite with the latest builds, and include the URI for that > site on the fproxy homepage. Who looks after the private key? Me? Oskar? What if one of us is bribed or coerced into giving it up? What if someone breaks in and steals the private key off our computers? What if whoever has it loses it? Maintaining a private key for a project like Freenet is far from a trivial task. > I mean only that there's no way for me to prove that the file I'm > sending you is the version of fred I'm running. The assumption is that people will send Freenet to people who trust them already. > adding veto subspaces makes the process slower for everyone (and much > more complicated) and makes the barrier for compromise only slightly > higher. Not at all. Developers only have to do something in the (hopefully) unlikely event that the jar is compromized, and the retrieval of the jar can take place in the background so the end-user is not inconvenienced. As for making the barrier for compromise only "slightly" higher - how, prey tell, are you quantifying this? The difference between having absolutely no recourse if the private key or build process is compromized, and having an effective recourse is much more than a slight improvement in reliability. > I still think the Right Way to do this is by having a official > download freesite. The private key management issues mean that it simply can't be that simple. There must be a mechanism to revoke the private key if it is compromized, and vetos are the best suggestion yet as to how to do this. Ian. -- Ian Clarke ian@[freenetproject.org|locut.us|cematics.com] Latest Project http://cematics.com/kanzi Personal Homepage http://locut.us/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20021114/af1e4b09/attachment.pgp>
