Trusted software archives
During the Ubuntu Developer Summit there were a number of discussions around how debian operating systems, such as Ubuntu, can best enable people to add trusted software archives to their computer (see the blueprint AptURL-policy for Ubuntu Karmic).
As far as I understood, there are three competing issues:
- There is currently no easy way for a person to evaluate whether a software archive might be trustworthy – other than trusting a centralized white-list,
- Installing software directly from a web-browser click should be minimized and discouraged,
- There should be an easy way for people to share (and maintain) software that they develop
I’m only going to discuss the first point here. DoctorMo has some great mockups demonstrating gpg-keys being used for identity and software trustworthiness, but a few people have commented on the problem of confusing the “web-of-(identity)-trust” that gpg keys currently provide with some sort of general trust that the identified person will be responsible with my computer.
Reading all the comments there leaves me wondering whether we should stop using the phrase “web-of-trust” and instead use the more verbose “web-of-identity-trust” to avoid confusion – even though it doesn’t roll off the tounge so easily. I love Martin’s idea – the concern is real – but am wondering how it could be implemented in a decentralised way.
Of course, it would be possible to add this as an api feature of Launchpad – my feeling is that Launchpad should be a source of the social value of an archive (ie. user ratings etc.), but not necessarily a source of this fundamental trust-relationship.
So here is an idea: what if the repository contained this infrastructure itself, such as a directory of meta-information, ‘identities-who-trust-this-archive’, which contained signed trust files ‘trust-of-canonical.txt’ or ‘trust-of-joe-bloggs.txt’. The text could just be a standard paragraph, or be modified by the signer if needed. The installer on the operating system would allow the user to check the trust text etc. Could this work? Can anyone see any issues? (hmm… revoking trust would not be possible without revoking the key used to sign the document?)