On Dec 9, 2008, at 10:27 PM, Jack Repenning wrote:
On Dec 9, 2008, at 5:55 PM, Perry The Cynic wrote:
In the end, you have to decide what being "your program" means to
you and your team; where you put the trade-off between openness and
trustworthiness (of the build result). *Then* you can put the
corresponding process in place. There are way too many choices for
me to just tell you what to do.
Thanks for the response. There was a lot of helpful stuff there that
I haven't re-quoted (because it already makes sense, not because I
didn't like it or something).
The issue here is that it's not about "ownership." This isn't a
commercial product. It's open source! The cardinal characteristic is
that anyone can create their own fork. What I want is to help the
end user be clear on whose variant they're using. Sounds like that's
not a part of the present implementation/goal for CDSA. (Guess I've
spent too much time in PGP land.)
You're right it's not about "ownership." It never is, commercial or
not. Signing your code doesn't protect it from being ripped off; it
protects your *reputation* from being ripped off. And that, I think,
applies to open source at least as much as to the commercial kind.
A code signature is essentially a stamp of origin - "I made
this." (Or, "we made this." Or even, "some anonymous entity made
this.") It's not about the source, or the code; it's about its
behavior, and about *stability* of this behavior. If you ship open
source software, presumably it comes with an offer to get source code,
at which point anyone can make their own version (modified or not) and
publish it in turn. That does not obviate the question of whether his
version should be considered "the same" as your version. In fact, it
makes the question more interesting... and more troubling to your
users, who want to know whether they should "upgrade"(?) from your
version to "Joe's version" or vice versa, and what that might do to
their system.
If you don't care about your reputation, you can choose a code
identity (i.e. Designated Requirement) for your program that anyone
can fulfill. (Simply using "identifier org.whatever.my.program" will
do - anyone can do this; you can stick it right into your Makefile or
Xcode project or whatever.) Then any build of this program is
considered "the same", and nobody can tell the difference (not the
computer, and probably not your users either).
If you want *the system* to treat all versions the same but users to
get a distinction, put markers into the Info.plist and display them in
your About... window. Or use a resource file (resources are sealed
into the signature). If you want the system to tell the difference,
use different names.
All of those "free" approaches ("free" as in easy to duplicate) mean
that you can't exclude nasty people. If you value your online
reputation, that ought to trouble you at least a bit. Signing with an
identity that you keep to yourself (or your team, etc.) is a way to
*reliably* distinguish stuff you blessed from stuff you didn't. That's
got nothing to do with whether this is open source or not; it's a
function of whether people trust *that particular binary that got
signed* because you said it's trustworthy.
It would be great if the Finder could display (in a program's Get Info
window) its signing status, so that you then knew whether to trust the
information in there. That radar is, how do I put it, "pending".
But I still have one question in what you've said: if Keychain uses
CDSA to ask once "can program X use this item?" and then remembers
the "always" approval ... that approval applies to all future
versions properly signed by the same key, is that what you're
saying? And a well-signed version signed by some other key then
prompts the question again, that right? So whereas with no signing,
I get that question every time I rebuild the app, and my users get
it every time they install a new version, with well-handled signing
- I might never see the question again (because even when hacking,
I'll probably use the official key, since I'm the official
buildmeister)
- my end-users likewise may never see the question again (because
they'll install only my offeeeeshally signed distros)
- and my developers will see it only whenever they happen to switch
between my builds and their own, or similar
Did I get that right?
Entirely right. (Note that other subsystems will react similarly; for
example, the application firewall will pop another dialog when the
user switches to a differently signed version.
Cheers
-- perry
---------------------------------------------------------------------------
Perry The Cynic email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed
Cynic.
---------------------------------------------------------------------------
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
