A common VFS and a Common conf-system (Was: namespacing)

[Robert Wittams]

Jamie McCracken wrote:
> 
> That wasn't my assumption at all. Security conscious users would of 
> course only install digitally signed apps from trusted parties so this 
> entire issue for them at least would be (or should be) irrelevant.
> 
> Apps that do actually need passwords can be malicious too so even expert 
> users can get caught. Its folly to be complacent with security and 
> digital signing seems to be the most foolproof method we can use.

All this gets you is "Your vendor is not aware of any security critical 
bugs in this code".

This is a pretty weak assertion. Signed apps just mean that someone has 
to either
a) Fool the vendor
b) Find an exploit the vendor hasn't found

This unfortunately is not as hard as you seem to believe. There is a lot 
of code out there.

This is also the ActiveX security model. That went well, didn't it?

Any secure attention key system or unspoofable window system for X will 
also be tied into systems like SELinux. This means users can be assured 
that windows come from a particular secure domain.

There is no known solution for the "confused deputy" problem, where some 
other process fools your authentication helper, other than making it 
very hard to confuse. That it is a lot easier that making the tens of 
millions of lines of code on the average free desktop system trustworthy.

So digitally signed packages are one layer of the solution, but they are 
absolutely not "the most foolproof method", and can not exist in isolation.