[Qgis-psc] [SAC] Osgeo Code signing certificates

Larry Shaffer larrys at dakotacarto.com
Wed Apr 20 09:22:36 PDT 2016 

Hi Sandro,

On Wed, Apr 20, 2016 at 4:54 AM, Sandro Santilli <strk at keybit.net> wrote:

> On Wed, Apr 20, 2016 at 04:39:03AM -0600, Larry Shaffer wrote:
> > Hi,
> >
> > If the OSGeo is considering taking the following stances...
>
> Larry, it looks like you misunderstood my stances completely.
>
> > * referring to the industry standard practice of code-signing, which
> > protects the user from anyone tampering with software they are installing
> > or have installed, as something that needs a workaround;
>
> I've nothing against code-signing, but I think the user needs to be
> able to decide who to trust.
>
> > * that the default security practices and implementations on major OSes
> is
> > somehow evil to their users, and that the users need protected from such
> > losses of freedom;
>
> It is evil if an OS enforces what's good or bad to a user.
> Not evil if the user decides who to trust.
>
> > * that the OSGeo needs to train users on how to circumvent these default
> > security protections;
>
> OSGeo needs to train users on how to tell their OS to trust OSGeo,
>
> > then an anti-reality warp is in effect, which will only hurt users who
> > actually just want to use the open-source software.
>
> Users that just want to use open-source software should be able to
> do so w/out their OS fighting against that. If any OS is fighting,
> OS advocates should fight back.
>

You bring up some good points here, but unfortunately none of that is
plausible, with regards to Mac applications/installers that need to have a
user verify their provenance.

Here are the facts:

* Current situation is totally broken. When a Mac user installs anything
not code-signed, by default, they are prompted that it can not be installed
at all, unless the user turns OFF default security settings. So, there is
no decision of trust here for most users. Most will simply not install the
software because it looks as though they should NOT trust the developers.

* Apple IS a trusted Certificate Authority in this instance. The web of
trust must end somewhere. If not with the developer of the OS itself, then
who?  You would be hard pressed to find a regular Mac user willing to
install any other Certificate Authority for a code-signing trust chain.

* Apple requires control over signing developers certificates. Their
'walled garden' approach is both a bane and boon for iOS; and they are
pushing for the same on Mac OS X (to a certain extent). As such, we as
developers can not ask users to place their trust elsewhere, like with a
self-signed OSGeo or standard root Certificate Authority. It is just not,
nor will it be in the foreseeable future, a technical possibility on Mac OS
X.

* Asking users to do anything to bypass the default security settings on
Mac completely misplaces their decision of trust *away* from our
developers. Any developer of standard release desktop software that asks
users to bypass security to use their software is immediately susceptible
to lack of trust.

* Linux users generally don't care much about Mac users' woes. Fair enough,
but many of us not only care but also want FOSS4G software to flourish
there. It is a stable and evermore popular platform.

I wish the Mac code-signing issue were not this way, but it plainly is.
Until there is a solution in place we, as packagers, will continue to look
untrustworthy if we do nothing or expect users to bypass any security.

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota

--strk;
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160420/e03767f6/attachment.html>

More information about the Qgis-psc mailing list