Linked by Thom Holwerda on Mon 15th Dec 2008 15:10 UTC
Editorial InternetNews.com states: "Microsoft (or a really smart ISV) should build a full application manager for Windows, similar to what most Linux distributions do today." Most Windows applications come with their own distinctive updating mechanism (much like Mac OS X), instead of having a centralised updating location like most Linux distributions offer. While it certainly wouldn't be harmful for Windows to gain such a feature - the question remains: isn't it time we rethink program installation and management altogether?
Thread beginning with comment 340433
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Package Manager Freeware
by GaBMaTrIx on Tue 16th Dec 2008 05:11 UTC in reply to "RE[3]: Package Manager Freeware"
GaBMaTrIx
Member since:
2008-12-15

"Hi lemur2, You're perfectly right about your comment! The software links aren't check for authenticity and therefore, we can't be sure about security. This software need to be improved in a lot of different aspects but I think it is a good start. Do you have a practical proposition about a new security feature? I don't think traditional software signing is appropriate in this case because we download the software directly from the developer webpage. Maybe website authenticity checking along with showing the location of the download to the user in order to gain trust? If so, please post in in the Issue Tracker here http://code.google.com/p/appsnap/issues/list Thanks!


AFAIK, Linux package managers get around this issue by including GPG keys for the repositories in the distribution install CD. If you installed a compromised install CD then you are compromised before you start anyway, but if you install a good CD then this allows packages in the repositories to be signed and for the package managers at the recipient end to check the packages on receipt. This is a pretty good system that, AFAIK, has never had a breach. AFAIK there has never been malware installed on a user's system coming from a repository via a signed package.

Having said that, Linux package managers have no such checking means available in the scenario where a user downloads (from a getdeb type of website) an application package (.deb or .rpm) and then uses the package manager to install that. The best that can be done here is to warn the user: "This package is not signed, do you trust the source of this package?" type of warning.

As far as I can see, every single application on Windows is in the latter category rather than the former. This would mean that every package would generate a similar warning every time the users tried to download and install anything. In that situation, the warning would quickly lose all meaning, and become worthless.

I don't see this as a failing of the AppSnap application (an attempt at a package manager for Windows), but rather as a fundamental shortcoming of Windows itself. I don't see any way that the project can circumvent this shortcoming, sorry.
"

Thanks for your detailed explanation! I have a lot of experience in Linux so I know what you mean! ;)

I'll try to help AppSnap developer as much as I can and keep the security aspect in mind!

Reply Parent Score: 2