Also, this dialogue really needs a redesign. Again, we should not be parroting the design decisions of trillion-dollar corporations like Apple.
Sideloading (or otherwise known as installing) apps from the web should not be demonised. We should be looking at webs of trust, etc.
In the case of an OS like elementary OS, with a tiny team, there is no reason to put Developer Xâs review/trust above Developer Yâs review/trust.
Going to have a think about how this can be made less scaryâŠ
@aral Web of trust immediately invokes GPG to me. Of course GPG works, and I'm glad we have it, but in my experience very few people understand it. So _if_ a web of trust is modeled, I would advise not to model it after GPG.
@claudius The biggest shortcoming with GPG, as I see it, is key discovery. Itâs one of the things that the Small Web solves by design (your keys are at a well-known location on your own domain). So the only thing you need to know to connect to someone is their domain name, akin to knowing someoneâs phone number (although, arguably, easier to remember).
@aral key discovery certainly sucks. But after I discover it, I then need to tell if I can trust it - and that's where GPG falls short as well, IMO. I know relatively few people that really correctly perform these checks outside, say, a cryptoparty.
@aral in classic distributions, you trust a set of keys "by design". But once you get to that "install this random key to get packages from this weird PPA" stuff started, people usually default to "I just copy and paste the instructions"
I think this is a very hard problem to solve, because the math is solved but the human interactions are fucked up. They ask too much prior knowledgo of people that clearly have better things to do.
@aral another thing in the small web model: there would be no way of preventing a very simple attack: register any domain, put your public keys there. Call yourself "Grand Lord of Narnia Inc." or "Apple" or "Bundesregierung" or whatever... The setup dialog has nothing else to work with and... would display "Signed by <whatever was specified by potentially attacking party>"?
@claudius Yep. And thatâs fine. It doesnât aim to solve the problem of identity verification. Thatâs where you can look at where else the site is linked from, etc. All the same things youâd do when someone walks up to you and says âHey, Iâm Johnâ apply. If you want to know if John is really John, you probably will ask some friends if they know him. Or youâll do a quick search online, etc. And if someone wants to be known as Grand Lord of Narnia, thatâs ok too. You can choose to trust/notâŠ
@aral I was not suggesting we "out" Sarah. I do not like the current "app store / gatekeeper" distribution model either.
But I think most users should have some kind of guidance what it is they are installing on their system.
And, I do have to admit, I have no clue how to connect those two dots.