launchpad-dev team mailing list archive

Thread
Date

Re: Idea: Trusted PPAs

To: Shane Fagan <shanepatrickfagan@xxxxxxxxxx>
From: Michael Nelson <michael.nelson@xxxxxxxxxxxxx>
Date: Wed, 07 Oct 2009 16:59:52 +0200
Cc: launchpad-dev@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1254925599.2227.10.camel@U0>
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

Shane Fagan wrote:
> Hi,
> 
> I just had an idea about PPAs. At the moment there is no way to prove
> that the person is trusted. This is important because like installing
> any software PPAs can be used maliciously (although I havent heard of it
> happening yet). I suggest that if a person is a core dev or maybe
> introduce a basic voting system (is this PPA safe? yes or no). If a few
> people answer no then the PPA should be checked. If a certain ammount of
> people answer yes they get a trusted mark on their PPA page. I got the
> idea from how twitter deals with famous people. 
> Any thoughts?
> 

Hi Shane,

Yes, I think it's a great idea - but one without an easy solution (at
least, that I can think of). The biggest issue is *who* decides whether
something is trustworthy. In your scenario above, it's the crowd, with
Launchpad being the official stamp (and some board of reviewers
reviewing the PPAs that should be checked). So it's potentially easily
swayed and essentially has a central authority. - the end-user just sees
"trusted".

This came up in discussions at the last UDS with DoctorMo, and out of
that, one idea was for a decentralised trust system based on signed
trust certificates that could exist in the archive itself. So a PPA
could collect signed trust certificates and users could see that a PPA
is trusted by 35 individuals and 3 organisations (with details etc.). In
this way there would be no trusted/not-trusted icon, but just summary
and details of who trusts a PPA/archive (with the ability of signees to
write exactly how they trust the PPA, and for users' client app to
verify the trust by checking the signature etc.).

Details of the discussion/links at:

http://micknelson.wordpress.com/2009/06/02/trusted-software-archives/

Cheers,
Michael

> Shane
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~launchpad-dev
> Post to     : launchpad-dev@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~launchpad-dev
> More help   : https://help.launchpad.net/ListHelp

-- 
Michael

References

Idea: Trusted PPAs
From: Shane Fagan, 2009-10-07