[sugar] Automatic transfer/update of activities on the mesh (Was: Sharing behavior in the core Read activity)

Michael Stone michael
Wed Mar 26 13:13:13 EDT 2008


On Wed, Mar 26, 2008 at 10:05:19AM -0600, Jameson Chema Quinn wrote:
> I disagree with #2. 

I disagree with both #1 and #2 and, as the current maintainer of
Rainbow, that should tell you something. More bluntly, please experiment
and please publish your work with a public solicitation of criticism.
It's true that, these days, I lack the uninterrupted time for serious
attacks on our really security hard problems (X, communications
security, and making isolation available on other platforms come to
mind), but I'll _make_ time for patch review, discussion, and writing on
these topics.

(Understand that, like any occasionally capricious maintainer, I may or
may not like your work, may or may not demand changes in your work
before I decide to merge it with mine, and probably won't agree with you
about the Right Way Forward. However, don't let that stop you!)

> partially if we think things through. Adding a hook so that activities with
> P_IDENT can request signatures, without seeing the private key, is IMO safe
> and simple enough to be worth doing if it helps us with activity updates.

It's a certainly a place to start - in other words, it may be
independently useful and it will certainly give us better understanding
of the overall problem. Please try it.

> Activities spread virally by sharing. Alicia codes a new activity V1 and
> signs it, it starts to spread. Bad Bob replaces Alicia's sig with his own
> and keeps spreading it. Now Bad Bob can add his malicious code to the
> activity later, and all the people who got the activity downstream from him
> will automatically update to the malicious version.

As I said in my previous email, Bitfrost clearly states (correctly, in
my mind) that even justified belief that code originates from some known
individual implies no trust relationship with that code. Period. Use
isolation to make it safer to play with code and use signing to help
reduce attackers' abilities to lie to you about what code you're going
to be running.




More information about the Sugar-devel mailing list