<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="generator" content="Osso Notes">
<title></title></head>
<body>
<p>----- Original message -----
<br/>> the apps in maemo extras *should* be trusted because we, the community, trust
<br/>> the developers who put them there.
<br/>
<br/>Gary, I trust the community, but I really want to be sure.
<br/>
<br/>It is also because I like the community so much that I want to keep extras a safe place. For some new users it will be the first point of contact to OSS. If that contact is good, more people will find the community and more will join.
<br/>
<br/>> it would take 1 bad report to have the software removed from extras.
<br/>>
<br/>> its a worrying scenario for some people, but this isnt the wild west and like
<br/>> all trust based mechanisms, people in the community are given rights to upload
<br/>> hopefully based on their standing.
<br/>
<br/>That would be one form of security I would be ok with.
<br/>But screening people (karma or participation or whatever) for the right to upload is even more questionable than having a team of testers go through the apps. Everyone has to have the right to right to put their stuff to devel and testing.
<br/>
<br/>> There are many steps along the way to being involved in the community and i do
<br/>> not see why an individual would be nefarious enough to go through all those just
<br/>> to infect a few machines.
<br/>>
<br/>> people are given rights and responsibilities and mechanisms are in place to
<br/>> hopefully prevent an incident such as you are describing.
<br/>
<br/>Pretty much so. But I don't want to risk even a single case however unlikely it is.
<br/>
<br/>> it falls on each and every one of us to maintain that trust.
<br/>
<br/>It is about trust, but there is the question of security too.
<br/>
<br/>I hope the solution that is now implemented is one that works, but as always, if practise shows that it needs to be rethought, then we will.
<br/>
<br/>Tero
<br/>
<br/>Tero
<br/>
<br/>> gary
<br/>>
<br/>>
<br/>>
<br/>>
<br/>> On Fri, Sep 25, 2009 at 3:40 PM, David Greaves
<br/>> <<a href="mailto:david@dgreaves.com">david@dgreaves.com</a>> wrote:
<br/>>
<br/>> <a href="mailto:tero.kojo@nokia.com">tero.kojo@nokia.com</a> wrote:
<br/>> > ----- Original message -----
<br/>> > >
<br/>>
<br/>> > > I realise this is a slightly different question (hence the new subject)
<br/>> > >
<br/>> > > OK, say I have an evil twin who wants to attack ('own') a lot of Nokia
<br/>> > N900
<br/>> > > devices. How do I do this?
<br/>> >
<br/>> > I hope that was retorical. Tell your evil twin to do something usefull.
<br/>>
<br/>>
<br/>> Err, no it wasn't retorical; it was hypothetical though in case you were worried.
<br/>>
<br/>> It's more about being responsible :)
<br/>> Actually it is very late in the day to be asking... but hey, it sounds like a
<br/>> topic worth raising.
<br/>>
<br/>> > > Does extras-testing factor into this?
<br/>> >
<br/>> > At least so that I would prefer maemo.org extras to be clean from
<br/>> > malware. It is much easier to promote it in Nokia internally when extras
<br/>> > contains good software.
<br/>>
<br/>>
<br/>> I agree 100% ... all it takes is one example of malware introduced into an OSS
<br/>> product and we (and Nokia) could lose a lot of credibility.
<br/>>
<br/>> I wonder how much that could be worth to some people? Maybe worth a deliberate
<br/>> attack? Maybe someone is playing a longer game?
<br/>>
<br/>> I just hope we are not planning on taking the "cross your fingers and toes
<br/>> *REALLY HARD* and hope everyone is nice to us" approach to security ;)
<br/>>
<br/>> Discuss...
<br/>>
<br/>> David
<br/>>
<br/>>
<br/>> --
<br/>> "Don't worry, you'll be fine; I saw it work in a cartoon once..."
<br/>>
<br/>>
<br/>>
<br/>> _______________________________________________
<br/>> maemo-developers mailing list
<br/>> <a href="mailto:maemo-developers@maemo.org">maemo-developers@maemo.org</a>
<br/>> <a href="https://lists.maemo.org/mailman/listinfo/maemo-developers">https://lists.maemo.org/mailman/listinfo/maemo-developers</a>
<br/>>
<br/>>
<br/>>
<br/>>
<br/>>
<br/>>
<br/><br/></p>
</body>
</html>