[Qgis-psc] [SAC] Osgeo Code signing certificates
Sandro Santilli
strk at keybit.net
Wed Apr 20 09:42:24 PDT 2016
On Wed, Apr 20, 2016 at 10:22:36AM -0600, Larry Shaffer wrote:
> I wish the Mac code-signing issue were not this way, but it plainly is.
> Until there is a solution in place we, as packagers, will continue to look
> untrustworthy if we do nothing or expect users to bypass any security.
First of all I'd stop calling it "security".
It's a semantic battle to fight here.
If we cannot ask the user to give OSGeo and/or other free software
actors their _trust_, we shoudl ask the user to pay for the penalty
of leaving their trust in the sole hands of Apple.
The software is free, they can download sources, build binaries from
the sources, but they would not be able to install the sources they
build UNLESS they break out the Apple jail _or_ pay Apple a fee to
do that.
Just let them know about this. Those systems are defective. By design.
Raise a BIG WARNING on installation. Let them know they are running a
broken system.
Obtain their attention by providing an Apple certificate, but then use
that attention wisely.
Let the user know she's being used as a product by Apple,
which sucks money out of those willing to be trusted by her.
Let the user know his's being fooled by Apple, calling
his freedom of choise a "security concern".
--strk;
More information about the Qgis-psc
mailing list