[maemo-developers] What's the best attack? (Re: How to use extras-testing correctly?)`
From: Benoît HERVIER khertan at khertan.netDate: Mon Sep 28 22:21:57 EEST 2009
- Previous message: What's the best attack? (Re: How to use extras-testing correctly?)`
- Next message: Community widgets for Fremantle
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Yeah ... come back to the old time where every developpers create his own repository. :) 2009/9/28 gary liquid <liquid at gmail.com>: > > > On Fri, Sep 25, 2009 at 5:29 PM, <tero.kojo at nokia.com> wrote: >> >> ----- Original message ----- >> > the apps in maemo extras *should* be trusted because we, the community, >> > trust >> > the developers who put them there. >> >> Gary, I trust the community, but I really want to be sure. >> >> It is also because I like the community so much that I want to keep extras >> a safe place. For some new users it will be the first point of contact to >> OSS. If that contact is good, more people will find the community and more >> will join. > > nobody can anonymously upload to extras without first applying. > from a community perspective, there is already a feeling of being vetted > prior to getting upload rights. >> >> > it would take 1 bad report to have the software removed from extras. >> > >> > its a worrying scenario for some people, but this isnt the wild west >> > and like >> > all trust based mechanisms, people in the community are given rights to >> > upload >> > hopefully based on their standing. >> >> That would be one form of security I would be ok with. >> But screening people (karma or participation or whatever) for the right to >> upload is even more questionable than having a team of testers go through >> the apps. Everyone has to have the right to right to put their stuff to >> devel and testing. > > as said, there is already an application stage. > if the community mindset is there of vetting, no matter how vague, it helps. >> >> > There are many steps along the way to being involved in the community >> > and i do >> > not see why an individual would be nefarious enough to go through all >> > those just >> > to infect a few machines. >> > >> > people are given rights and responsibilities and mechanisms are in place >> > to >> > hopefully prevent an incident such as you are describing. >> >> Pretty much so. But I don't want to risk even a single case however >> unlikely it is. > > *nod* this is a common goal. >> >> > it falls on each and every one of us to maintain that trust. >> >> It is about trust, but there is the question of security too. >> >> I hope the solution that is now implemented is one that works, but as >> always, if practise shows that it needs to be rethought, then we will. > > yes, testing is the further step and should help to prevent even the most > determined of individuals. > it is rare to see applications coming through maemo.org where there isn't > community participation at some level > > gary >> >> Tero >> >> Tero >> >> > gary >> > >> > >> > >> > >> > On Fri, Sep 25, 2009 at 3:40 PM, David Greaves >> > <david at dgreaves.com> wrote: >> > >> > tero.kojo at nokia.com wrote: >> > > ----- Original message ----- >> > > > >> > >> > > > I realise this is a slightly different question (hence the new >> > > > subject) >> > > > >> > > > OK, say I have an evil twin who wants to attack ('own') a lot of >> > > > Nokia >> > > N900 >> > > > devices. How do I do this? >> > > >> > > I hope that was retorical. Tell your evil twin to do something >> > > usefull. >> > >> > >> > Err, no it wasn't retorical; it was hypothetical though in case you were >> > worried. >> > >> > It's more about being responsible :) >> > Actually it is very late in the day to be asking... but hey, it sounds >> > like a >> > topic worth raising. >> > >> > > > Does extras-testing factor into this? >> > > >> > > At least so that I would prefer maemo.org extras to be clean from >> > > malware. It is much easier to promote it in Nokia internally when >> > > extras >> > > contains good software. >> > >> > >> > I agree 100% ... all it takes is one example of malware introduced into >> > an OSS >> > product and we (and Nokia) could lose a lot of credibility. >> > >> > I wonder how much that could be worth to some people? Maybe worth a >> > deliberate >> > attack? Maybe someone is playing a longer game? >> > >> > I just hope we are not planning on taking the "cross your fingers and >> > toes >> > *REALLY HARD* and hope everyone is nice to us" approach to security ;) >> > >> > Discuss... >> > >> > David >> > >> > >> > -- >> > "Don't worry, you'll be fine; I saw it work in a cartoon once..." >> > >> > >> > >> > _______________________________________________ >> > maemo-developers mailing list >> > maemo-developers at maemo.org >> > https://lists.maemo.org/mailman/listinfo/maemo-developers >> > >> > >> > >> > >> > >> > >> > > > _______________________________________________ > maemo-developers mailing list > maemo-developers at maemo.org > https://lists.maemo.org/mailman/listinfo/maemo-developers > > -- Benoît HERVIER - http://khertan.net/
- Previous message: What's the best attack? (Re: How to use extras-testing correctly?)`
- Next message: Community widgets for Fremantle
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]