>We mostly need this on regular devices that do not (yet) point to the
>official servers.
>
>Is the threat a user being unknowingly lead into running with this flag and
>potentially compromising their install?
Yep. It's just my general paranoia coming through. If there is a way to
trick the user or the system into setting this flag, all bets are off. I'd
like to see if we can come up with another safety check that doesn't make your
life more difficult but would be explicit and hard to invoke for normal users.
OTOH, most normal users will only use the D-Bus API, so maybe that's the
trick. I can think of a couple of things:
* Do not document --skip-gpg-verification in the manpage or si-cli --help
* Prevent --skip-gpg-verification from working when run under D-Bus
On Jan 29, 2015, at 07:34 AM, Jani Monoses wrote:
>We mostly need this on regular devices that do not (yet) point to the
>official servers.
>
>Is the threat a user being unknowingly lead into running with this flag and
>potentially compromising their install?
Yep. It's just my general paranoia coming through. If there is a way to
trick the user or the system into setting this flag, all bets are off. I'd
like to see if we can come up with another safety check that doesn't make your
life more difficult but would be explicit and hard to invoke for normal users.
OTOH, most normal users will only use the D-Bus API, so maybe that's the
trick. I can think of a couple of things:
* Do not document --skip- gpg-verificatio n in the manpage or si-cli --help gpg-verificatio n from working when run under D-Bus
* Prevent --skip-
Would either of these give you hardship?