Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial
nikodemus_at_random-state.net
Date: 04/24/04
- Next message: nikodemus_at_random-state.net: "Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial"
- Previous message: David Steuber: "Re: Does function foo exist?"
- In reply to: rif: "Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial"
- Next in thread: nikodemus_at_random-state.net: "Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial"
- Reply: nikodemus_at_random-state.net: "Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial"
- Reply: rif: "Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 23 Apr 2004 23:35:55 GMT
rif <rif@mit.edu> wrote:
> But what do you mean by "asdf-install telling me there's a problem?"
> AFAICT, unless the person who wrote the package's key is in my keyring
> AND I've established a trust relationship with them, then ASDF-INTSALL
> will ALWAYS say there's a problem.
Not quite.
Establishing a web of trust, while good and recommended, isn't strictly
speaking necessary. A web of trust usually means that you trust the person
behind the key to really be who he claims to be, which is largely orthogonal
to whether or not you trust that person to write non-maliscious software.
You can treat a public key as an opaque identity associated with a source of
software.
Example:
Alice is a software author who writes dependable, non-maliscious software.
Bob is software author who writes essentially good software, but is sloppy
in his own seurity, and the packages he uploads are occasionally
trojaned.
Clark is an evil person, whose pretended online personality has nothing to
do with his real identity. His long term plan is to gain the trust of
millions and then misuse it by sneaking evilware onto their computers.
Compare the situations using the persons public key as an opaque
electronic identity vs. having a web of trust:
Alice: No essential difference.
Bob: If your box is compromised you might try to sue for damages.
Clark: You're protected because you refuse to download software
from authors you don't have a web of trust to.
So having a web of trust only protects you from those maliscious authors who
hide behind faked identities. Using the opaque identity gives you identical
seurity vs. tampered cliki redirects, etc. as a web of trust. I, personally,
don't regard it as necessary for installing stuff -- your mileage will wary
depending on your security needs.
Also, getting a web of trust to persons X is most of the time quite doable
if it's important enough to warrent a little effort. A fair number of free
lisp developers are decently connected, and a few are extremely well
connected -- if you get to the Debian web of trust you probably have a web
of trust to most authors.
Now, you apparently disregarded my allusion to the "pyramid of trust", which
is essentially a flawed version of web of trust, but very easy to establish,
and still somewhat better than nothing. You can eg. decide to trust for
installation purposes all keys signed by keymaster@common-lisp.net, or
whomever, thusly gaining multiple weakly trusted keys in one whopping step.
If the key you decide to trust is an "institutional one" like the
aforementioned keymaster@common-lisp.net the net effect is essentially the
same as if there was a central authority, you just get to decide who it is
for you.
> Do you go get people's keys and put them in your keyring,
Yes. This is _not_ a chore: the keys are on the keyservers and gpg knows how
to fetch them. Unless there are multiple keys (hasn't happened to me yet)
I live with the assumption that it's the right one. If the key is not on a
keyserver I fetch it from the authors webpage or whatever: it's a
one-time-job, as opposed to installation which will happen with every new
version.
I don't sign the keys trusted, but let asdf-install to add them to its own
trusted uids collection.
> method, then I suggest that using ASDF-INSTALL is no more "automated"
> than simply downloading packages directly from people's pages, unless
> you're downloading a lot of packages signed by one individual.
Bull. As said, GPG knows how to pull keys, and pulling keys is a one time
thing, as opposed to installation. Furthermore, as it happens the actual
number of people writing asdf-installable packages is rather small compared
to the number of packages -- so you are very very likely to install multiple
packages by the same author.
The real value of asdf-install for me is in tracking dependencies.
-- Nikodemus
- Next message: nikodemus_at_random-state.net: "Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial"
- Previous message: David Steuber: "Re: Does function foo exist?"
- In reply to: rif: "Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial"
- Next in thread: nikodemus_at_random-state.net: "Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial"
- Reply: nikodemus_at_random-state.net: "Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial"
- Reply: rif: "Re: ASDF-INSTALL for CMUCL, CLISP, AllegroCL, and LispWorks - plus tutorial"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
