[Qgis-psc] [SAC] Osgeo Code signing certificates

Jonathan Moules jonathan-lists at lightpear.com
Wed Apr 20 08:23:58 PDT 2016 

Hi Sandro,

> I've nothing against code-signing, but I think the user needs to be able to decide who to trust.
The problem is that users (everyone actually) are fundamentally incapable of reliably deciding who they can and should trust. The entire Spam, Phishing, SpearPhishing, and Malware industries are predicated on this basic fact. Humans have millenia of evolution working against them in the form of various cognitive biases that any capable attacker can easily exploit to produce "trust". Even more technically savvy users are still susceptible to a sufficiently advanced attack.

That said, I don't know what the solution is, but I do know that relying on user awareness is a recipe for the botnet filled internet we have today.

Cheers,
Jonathan




---- On Wed, 20 Apr 2016 11:54:25 +0100 Sandro Santilli<strk at keybit.net> wrote ---- 

On Wed, Apr 20, 2016 at 04:39:03AM -0600, Larry Shaffer wrote:
> Hi,
> 
> If the OSGeo is considering taking the following stances...

Larry, it looks like you misunderstood my stances completely.

> * referring to the industry standard practice of code-signing, which
> protects the user from anyone tampering with software they are installing
> or have installed, as something that needs a workaround;

I've nothing against code-signing, but I think the user needs to be
able to decide who to trust.

> * that the default security practices and implementations on major OSes is
> somehow evil to their users, and that the users need protected from such
> losses of freedom;

It is evil if an OS enforces what's good or bad to a user.
Not evil if the user decides who to trust.

> * that the OSGeo needs to train users on how to circumvent these default
> security protections;

OSGeo needs to train users on how to tell their OS to trust OSGeo,

> then an anti-reality warp is in effect, which will only hurt users who
> actually just want to use the open-source software.

Users that just want to use open-source software should be able to
do so w/out their OS fighting against that. If any OS is fighting,
OS advocates should fight back.

--strk;
_______________________________________________
Qgis-psc mailing list
Qgis-psc at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/qgis-psc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160420/491c5624/attachment.html>

More information about the Qgis-psc mailing list