[packagekit] This dialog sucks

Alexander Boström abo at stacken.kth.se
Thu Apr 30 13:17:48 PDT 2009


Lurker opinions:

This dialog only protects against DNS spoofing and other MITM attacks 
against web servers, and only partially so. It's too late to ask about 
packager trust. That question was already implicitly answered when the 
user clicked the yoyopak-release package at the yoyopak website and 
installed it, probably without any signature verification.

So what to do:

1. If the key URL matches file:///etc/pki/rpm-gpg/* (or similar for 
other backends) then don't ask at all. It's too late anyway, since 
anyone who can create a yoyopak.repo file can also place a public key at 
the right place. Maybe PK already does that?

2. If the key is from an https:// URL and the certificate verifies 
correctly then also don't ask at all. Trust the .repo, someone with the 
right access put it there already.

3. Else show the fingerprint (not just the key ID) and ask the user if 
it matches the fingerprint provided by <name of repository>.

------------------------------------
A signature key with the fingerprint
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
was found.

Is this a key provided by the
"yoyopak" software repository?
Yes/No
------------------------------------

Yeah, the last one sucks because it teaches users to always click yes 
but there's no way around it unless a proper key infrastructure (PKI, 
PGP WoT, DNSSEC etc.) is used. Most people won't see that dialog anyway 
since any sane repo be handled at (1) or (2).

Also, if you don't like my (1) and (2) you can add a non-scary "info" 
level dialog there:

------------------------------------
A signature key with the fingerprint
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
was provided by "yoyopak" and will be
used to verify software integrity
during installation.
Ok/Cancel
------------------------------------

/abo



More information about the PackageKit mailing list