[packagekit] This dialog sucks

Patryk Zawadzki patrys at pld-linux.org
Thu Apr 23 02:11:23 PDT 2009


On Thu, Apr 23, 2009 at 10:47 AM, Richard Hughes <hughsient at gmail.com> wrote:
> On Wed, 2009-04-22 at 10:16 -0400, Matthias Clasen wrote:
>> Thanks, some things are clearly improved in this mockup.
>> But some problems remain:
> What about the attached?

I don't agree with the following:

* "normally, software is signed with a key to prove that they have not
been tampered with" - not really, I think packages are signed to
indicate that someone has trust in their contents, whether you trust
that someone has nothing to do with altering package contents or not -
that would be only meaningful if the signature was proven to be
invalid)

* "if you do not recognize Foo repository" - of course you recognize
it, that's the whole point of main-in-the-middle attacks and website
spoofs, you are supposed to trust the signature, not who the signing
party claims to be (anyone can generate a key that claims to originate
from RedHat)

Another proposition:

<big>Attempting to install untrusted software</big>

The <b>foo-bar</b> package has a valid digital signature but the key
is not known so the system can not verify the origin of the software.
This could mean that the package you are trying to install was not
designed to work with your system or that it contains malicious
software. If unsure, choose "Cancel installation" and contact your
system vendor.

- ↓ Show details -

Key fingerprint: 00 DEAD BEEF BAAD F00D
Signing party: Evil Inc. <evil at malware.com>
Intentions: 90% Evil

[ I understand the risk ] [ Cancel installation (default) ]

-- 
Patryk Zawadzki



More information about the PackageKit mailing list