Also, this dialogue really needs a redesign. Again, we should not be parroting the design decisions of trillion-dollar corporations like Apple.

Sideloading (or otherwise known as installing) apps from the web should not be demonised. We should be looking at webs of trust, etc.

In the case of an OS like elementary OS, with a tiny team, there is no reason to put Developer X’s review/trust above Developer Y’s review/trust.

Going to have a think about how this can be made less scary…

@aral Web of trust immediately invokes GPG to me. Of course GPG works, and I'm glad we have it, but in my experience very few people understand it. So _if_ a web of trust is modeled, I would advise not to model it after GPG.

@claudius The biggest shortcoming with GPG, as I see it, is key discovery. It’s one of the things that the Small Web solves by design (your keys are at a well-known location on your own domain). So the only thing you need to know to connect to someone is their domain name, akin to knowing someone’s phone number (although, arguably, easier to remember).

@aral key discovery certainly sucks. But after I discover it, I then need to tell if I can trust it - and that's where GPG falls short as well, IMO. I know relatively few people that really correctly perform these checks outside, say, a cryptoparty.

@aral in classic distributions, you trust a set of keys "by design". But once you get to that "install this random key to get packages from this weird PPA" stuff started, people usually default to "I just copy and paste the instructions"

I think this is a very hard problem to solve, because the math is solved but the human interactions are fucked up. They ask too much prior knowledgo of people that clearly have better things to do.

@aral another thing in the small web model: there would be no way of preventing a very simple attack: register any domain, put your public keys there. Call yourself "Grand Lord of Narnia Inc." or "Apple" or "Bundesregierung" or whatever... The setup dialog has nothing else to work with and... would display "Signed by <whatever was specified by potentially attacking party>"?

@claudius Yep. And that’s fine. It doesn’t aim to solve the problem of identity verification. That’s where you can look at where else the site is linked from, etc. All the same things you’d do when someone walks up to you and says “Hey, I’m John” apply. If you want to know if John is really John, you probably will ask some friends if they know him. Or you’ll do a quick search online, etc. And if someone wants to be known as Grand Lord of Narnia, that’s ok too. You can choose to trust/not…


@claudius …we won’t be building systems that enable you to “out” Sarah as Grand Lord of Narnia. People should be allowed to explore aspects of their identities freely.

· · Web · 1 · 1 · 1

@aral I was not suggesting we "out" Sarah. I do not like the current "app store / gatekeeper" distribution model either.

But I think most users should have some kind of guidance what it is they are installing on their system.

And, I do have to admit, I have no clue how to connect those two dots.

Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.