Who submitted == Apple security model [LWN.net]

Who submitted == Apple security model

Posted Sep 5, 2012 20:44 UTC (Wed) by drag (subscriber, #31333)
In reply to: Who submitted == Apple security model by david.a.wheeler
Parent article: Improving Ubuntu's application upload process

They depend on credit card infrastucture that the banks (all credit card companies are banks or owned by banks) have set up to monitor people. That way if you get a credit card number you have decent chance of having the ability to track down who you are dealing with.

Unless Ubuntu decides to try to charge people a small fee to get the ability to upload programs then they won't be able to use the same system.

This is probably something that would not be popular. HOWEVER, besides the political implications this is NOT a terrible idea, IMO. One-time fees can be benefitial for multiple parties involved.

(Log in to post comments)

Who submitted == Apple security model

Posted Sep 6, 2012 9:44 UTC (Thu) by njwhite (subscriber, #51848) [Link]

Which I for one despise, which is why my chromium extension isn't on their 'store.' That and signing a complex legal document that I lack the training or money (for a lawyer) to understand.

A requirement give a provable identity in order to distribute your software is a dangerous thing.

I'd far rather see some slick desktop interface on (say) freecode (nee freshmeat), which aggregates from wherever the developers can comfortably distribute, under their own terms.

Who submitted == Apple security model

Posted Sep 6, 2012 10:06 UTC (Thu) by njwhite (subscriber, #51848) [Link]

> I'd far rather see some slick desktop interface on (say) freecode (nee freshmeat), which aggregates from wherever the developers can comfortably distribute, under their own terms.

Using some sort of web of trust based approach for determining the trustworthiness of the programs and authors (Ingo Molnar mentioned this recently, and I would very much like somebody to figure out how to make it work.)

Who submitted == Apple security model

Posted Sep 6, 2012 16:56 UTC (Thu) by drag (subscriber, #31333) [Link]

> A requirement give a provable identity in order to distribute your software is a dangerous thing.

You are not required to provide identity in any cause to distribute software. Except maybe on iOS.

What you are required to do is provide some form of identity to use another person's service to distribute your software. This is not a bad thing. IF they are providing a service and you have a relationship with them then a payment for access to that service is not something that is a wrong thing to require.

Your one time payment would go to services and vetting so that people can be paid to go through software and check it out as 'safe' or not. Is this not a real issue?

Right now the 'vetting' is done by requiring third parties (Party 1: Developer, Party 2: Users, Party 3: Distributions) to build the software and then only allowing users easy access to those. The 'distributions' vet their 'vetters' by requiring years of devotion and history before they are allowed to build and upload software.

It seems to be that process is no less distasteful then asking a payment.

Either system is ripe for abuse, for different reasons. But that is why users need to be know which 'software distributors' they can trust regardless of the method used. If you are going to delegate your security to other parties (the developers and those who vet and distributes) then it's your responsibility to be somewhat aware of who and the type of people you are dealing with.

Q: "Who watches the watchers?",
A: the people being watched, of course.