A common VFS and a Common conf-system (Was: namespacing)
robert at wittams.com
Sat Apr 2 14:31:36 EEST 2005
Jamie McCracken wrote:
> That wasn't my assumption at all. Security conscious users would of
> course only install digitally signed apps from trusted parties so this
> entire issue for them at least would be (or should be) irrelevant.
> Apps that do actually need passwords can be malicious too so even expert
> users can get caught. Its folly to be complacent with security and
> digital signing seems to be the most foolproof method we can use.
All this gets you is "Your vendor is not aware of any security critical
bugs in this code".
This is a pretty weak assertion. Signed apps just mean that someone has
a) Fool the vendor
b) Find an exploit the vendor hasn't found
This unfortunately is not as hard as you seem to believe. There is a lot
of code out there.
This is also the ActiveX security model. That went well, didn't it?
Any secure attention key system or unspoofable window system for X will
also be tied into systems like SELinux. This means users can be assured
that windows come from a particular secure domain.
There is no known solution for the "confused deputy" problem, where some
other process fools your authentication helper, other than making it
very hard to confuse. That it is a lot easier that making the tens of
millions of lines of code on the average free desktop system trustworthy.
So digitally signed packages are one layer of the solution, but they are
absolutely not "the most foolproof method", and can not exist in isolation.
More information about the xdg