Re: xdg-app discussions at the GNOME DX hackfest

[Michael Catanzaro <mcatanzaro gnome org>]

On Fri, Jan 30, 2015 at 5:28 AM, Allan Day <allanpday gmail com> wrote:

One possibility - certificates could be issued for authors wanting to release xdg applications. These would then be used to sign applications, and unsigned apps could then be flagged as untrusted.

Exactly what Windows does. So what did we learn from their experience: this will be completely worthless unless we actually prohibit users from running such apps. Have you ever actually heeded the security warning you see when you try to start an unsigned Windows app? Of course not, you just click through it, because you want to run the software. There is no value in having it, then, only the harm of teaching users to ignore security warnings.

If we do code signing, certificates must be mandatory and users must have no recourse to run untrusted software (short of some difficult process to "unlock" the device). And that would be a very significant freedom-restricting change for our platform. I would much rather rely on sandboxing to restrict the capabilities of apps. An alternative would be to require code signing for unsandboxed apps only. That might work -- distros would sign their own packages, then if you want to run something from a third-party they would need to either use our sandbox framework or get a certificate from GNOME.

Software could allow users to report malicious applications (this could be integrated into Software), and certificates could be revoked as necessary. A corresponding process might be required for applications that have unintentional security issues.

Remote-disabling apps that have security issues, forcing app authors to address them, does sound quite appealing. It is also somewhat Orwellian, no? Like when Amazon deleted every Kindle copy of 1984. Still might be worth it....