|
|
Log in / Subscribe / Register

Re: Arbitrary 3rd Party Code

[Posted April 13, 2011 by corbet]

From:  Ryan Ware <ware-VuQAYsv1563Yd54FQh9/CA-AT-public.gmane.org>
To:  meego-security-discussion-VVXm0OgCXj10cC2WI2GV6A-AT-public.gmane.org
Subject:  Re: Arbitrary 3rd Party Code
Date:  Fri, 08 Apr 2011 10:26:29 -0700
Message-ID:  <4D9F4545.9020603@linux.intel.com>

On 04/07/2011 04:32 PM, Praveen Gupta wrote:
> URL is not usable.. Please re-send..
>
> Again, separation of local-access only data is, just, one usecase..
>
> There are several other usecases.. For example -
>
> * Separation of "enterprise", "Carrier" and "application-sensitive" data
> * Restriction of data cross-over from one domain to another
>
> Mobile platforms has "unique" security requirements.
>
> Implementation of these requirements is *necessary* for adoption of mobile
> platforms by "sensitive" enterprise applications (for example).. Several
> other such scenarios / use-cases exists.
>
> We need *requirements* which we can map to different Meego releases..
>
> After requirements are frozen, we need to propose "architecture" with
> release plan.
Please don't top-post.

This might be the case if we were following a waterfall development 
model.  We are not in any way following that type of model.  
Additionally, we already have security requirements that have previously 
been defined and published.  There are others that have been defined and 
will be published in the near future.

As for the specific requirement that you've proposed, I do not see it as 
a requirement for MeeGo.  Even if it was, I don't see a viable technical 
solution that could be put in place.  Content providers have been trying 
to do this exact thing with various digital rights management systems 
since the dawn of digitally distributed, consumer oriented products.  As 
we all know, their efforts with all of their resources have not yet 
created a solution that would meet the intent of your requirement.  If 
they've never been able to do it, we have no hope of doing that with the 
small number of resources we have working on MeeGo.

I believe I have a good understanding of what you would like to see and 
we can't do it.  We can't have a requirement saying we need to govern 
what an application does with data after it's received it.  What we 
*can* have though (and do, but not published yet) is a requirement 
stating that the end-user can control which applications are allowed 
which type of personal data.  That is reasonable and implementable and 
we already have things in flight to get there.

Ryan

to post comments


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds