Hacker News new | ask | show | jobs
by rbarooah 5185 days ago
The only thing you seem to be saying you want is to be free from the fear of unintended negative consequences of code signing.

It's tautological that nobody can both provide something and freedom from the fear of the unintended consequences of that same thing simultaneously.

On the other hand, since the only way to judge the trustworthiness of code is to know its provenance, I don't see how we can avoid some kind of signing becoming ubiquitous.

To me that means that free software must eventually develop a decentralized code signing scheme.
3 comments
kaolinite 5184 days ago
Correct me if I'm wrong, but the package managers of all popular Linux distros (except for Arch Linux, who are moving to bring it in soon) have had code signing for years now. It's not decentralised however the package management system isn't either.
link
Natsu 5185 days ago
I think his problem is with those people who would take away the user's freedom to choose who to trust.
link
randallsquared 5184 days ago
I don't really expect them to take it away completely. So, a simpler version is that I expect the capability to silently disable applications on user machines will be misused (through third-party insistence if nothing else; see the _1984_ debacle at Amazon). A similar system which could only throw up scary warnings when starting an unsigned application wouldn't bother me much, since it wouldn't be such attractive lawsuit bait. But I agree that I'm only speculating that Apple will carry this through to its natural end of being iOS-like. I can't imagine any reason for them not to do it, and I think that for the majority of their users, it will actually improve the experience.
link
rbarooah 5185 days ago
Slippery slope fallacies notwithstanding, Apple isn't proposing to take anything away.

My point is that the alternatives don't provide the user with the option to choose who to trust to begin with.

The ability to trust code is something that has to be created with engineering and design.

link
randallsquared 5184 days ago
The only thing you seem to be saying you want is to be free from the fear of unintended negative consequences of code signing.

Yeah, I dislike negative consequences. :)

To me that means that free software must eventually develop a decentralized code signing scheme.

I wholeheartedly agree!

link