[Qgis-psc] [SAC] Osgeo Code signing certificates
Sandro Santilli
strk at keybit.net
Wed Apr 20 09:49:19 PDT 2016
On Wed, Apr 20, 2016 at 05:36:58PM +0100, Jonathan Moules wrote:
> Hi Sandro
> I get what you're saying, and entirely agree with the principle.
> But unfortunately the practicalities disagree; compare Android and iphones - Apple has a closed ecosystem and a fraction of the malware that Android has (anything from 3%-20% depending on the report). The primary difference between the platforms is the fact that anyone can install whatever on Android but there's more stringent curation on an Apple. In many cases those files you can access on Android contain Bad Things.
I disagree. Most files I can access on my computer do not contain Bad
Things, as I decide who to trust. I only install software from sources
I trust, those where the software is distributed with a free software
license, that comes with _sources_ I can inspect, which has a
community I can confront with.
On android there's an excellent project to build some trust around
free software binaries: f-droid.org.
Is deciding who to trust a difficult task ? YES.
Is delegating that hard decision to a single provider to be recommended ?
NO, in my opinion. But that's your choice (or is it ?).
> Raising user awareness only works to an extent. If users aren't
> following basic security awareness already, I'm not sure an OSGEO\QGIS
> campaign would achieve much.
Not only the battle you're sure to win are worth fighting
--strk;
More information about the Qgis-psc
mailing list