Date: Mon, 27 Jul 1998 11:58:15 +0100 (BST)
From: David Southwell <david@cyberc.demon.co.uk>
To: new-httpd@apache.org
Subject: Re: Fwd: 1.3.1 missing pgp signature
In-Reply-To: <35BB11E0.3838D866@Golux.Com>
Message-ID: <Pine.BSF.3.95q.980727105630.11079E-100000@xgate.cybercities.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

On Sun, 26 Jul 1998, Rodent of Unusual Size wrote:

> David Southwell wrote:
> > 
> > KEY QUESTIONS! (no pun intended!) ;-)
> > 1. How many people actually use it?
> 
> What, PGP in general?  
Not really relevant!


>How many use the signature to verify the Apache releases?  
Much more pertinent!

>There's no way to tell - but enough people expect it that we get
>complaints if a release isn't signed. 

Yep but the complaints only seem to come from those who do sign em --
kindof "I take the trouble so why shouldn`t you" rather than a complaint
"Hey I have taken this to be genuine and it was not!!"

>It's unclear whether they expect it because
> we've done it in the past, or because it's a common practice.
It seems to be more of type I do it - so you must - which is not really a
point to need!!
 
> > 2. Can we be convinced it is really essential?
> 
> If we only did things that were essential, Apache wouldn't
> exist.  
Not relevant -- maybe essential is too strong -- maybe "demanded
behaviour" is more accurate representation.

>Trojanned copies.  Is there any real problem about trojanning - unless
www.apache.org has poor security and is badly managed anyone who is really
doubtful would check back to the source held there. Sounds like
belt/braces& string to me!!

 
> > 3. Does someone who fails to PGP sign really deserve being pilloried?
> 
> Who's getting pilloried? 

Sounded like it to me! Response was a bit too authoritarian for my taste!

 That's a very strong word.
> Fails to sign: probably not.  Refuses to sign: perhaps.

> Personally, I think it's part of the process, like paying dues.
frankly not convinced -- too subjective -- depends upon whether people
agree to be bound by such rules -- if they do fine -- if not a bit of
laissez faire would not go amiss!

> If someone's not willing to sign a release, he shouldn't be
> responsible for constructing it

That seems very subjective to me --
Some people might sign others might not - as they are doing it for free
seems Ok to me!


> > 4. Did the introduction of the process come about due to a
> > significant bad experience or was it introduced as a "generally
> > good idea"?
> 
> I personally don't know the answer to that one, but I suspect
> the latter.

So do I -- iseems to me like a practice that doesnt do any harm - but one
that there is no essential need for it to happen!!


> > 5. Do we really have anything to fear from dropping the practice?
> 
> Only some loss of credibility. 
The credbility is in the release not the signature!

> Signing a release is not a big deal.  It takes a few seconds.  

OK for some but at least one person didnt find that to be so -- comes down
to tolerance really!


> > OBSERVATIONS!
> > >From what I have heard so far it does seem to sound like an almost
> > entirely unused sledge hammer kept around to crack hypothetical nuts!!


> 
> Since 00H01 Sunday - about 18 hours ago - there have been 59 requests
> for the release files and 63 for the .asc files through FTP, and 25
> requests for the .asc through HTTP.  That's only on the Apache.Org
> site itself, not any of the mirrors.  I don't know what the request
> rates were like in the early days of the release, but those numbers
> don't look very hypothetical.

Sorry but you are arguing against your proposition here!

There is no logical correlation between numbers of files requested from
apache.org and any hypothetical need for PGP signing. Indeed the
correlation is in favour of the argument against a requirement for PGP 
signing.

By definition those that got the files from Apache.org got the right ones
Unless as I said earlier the security is crap (which i doubt). It
therefore means that PGP signing was not required for at least that number
of downloads

> 
> > However from what has been said so far it seems that people who are
> > likely to be in the position to doubt the validity of a tarball are
> > few are far between. They are also more likely to ask here than go
> > through the hassle of checking it out using PGP!


> 
> No and no (IMHO).  This list was kept pretty much a secret until
> a few months ago, and still isn't widely published.  There are
> only 223 subscribers to it right now.  The number of Web sites
> using the software is almost 6000 times as large.  If we assume that
> 30% of those Web sites are really vhosts, 100% want to download,
> and that only 20% of downloaders want to check the signature,
> that still leaves us with over 150'000 people.
> 
I would suggest that 1% using PGP checking would overstate the case - and
those who needed to be sure would have downloaded from apache.org in any
case to make sure they had the latest in case mirrors were not up to date!

> Checking the signature isn't any more hassle than creating it.
> A few seconds at best - again, once you know how.
> 


> > On the one hand a low expectations of downloader capabilities is
> > demonstrated by not keeping old releases around (apparently for fear
> > that people are not able to distinquish between releases that are and
> > are not currently supported) ; on the other hand there is an implied
> > perception that PGP signing is essential from which one deduces an
> > appropriate level of competence!

 
> It's not 'apparently for fear,' it's because 'experience has shown.'
> We're dealing with large numbers here.  If only 1% of the downloaders
> choose something stale, and only 1% of *those* report a problem that's
> fixed in a release later than they installed, that's still nearly
> 100 reports.  

They could still get hold of an old signed copy so the point is
irrelevant. What we are talking about are incompatible views of user
competence! (a) they must have PGP signed copies (b) they are not capable
of checking whether they have the latest release!! 
 
> Consider the size of the Apache user base.  There is room for
> both highly competent people who want the PGP signatures and
> clewless 

(I presume you mean clueless!!)

> masses that will install antique 
(recently revised!)

> software.  

They may find something which worked on a previous version doesnt work on
the current - this will provide valuable debugging information. If they
deleted the older version then they may need to re-install to provide the
debug information we need!

And either can easily overwhelm us by virtue of the sheer
> size of the issue. 

You seem to be suggesting that the occasional release which is not PGP
signed would overwhelm us due to complaints

 - not convinced - 

hell it is not even a requirement for operating system releases - what
could be more fundamental than that! 

OK LETS TRY AND RECONCILE THE POINTS OF VIEW!
 
It seemed to me that some responses to a guy who didnt PGP sign was over
the top and a tadge authoritarian. 

In these circumstances if the guy doesnt want to PGP sign it I would thank
him/her for releasing it - and that should be the end of the matter!

If the next guy who does a release wants to sign it doesnt do any harm and
may do some good - so lets thank him/her and that should be the end of the
matter!

Lets not be prescriptive about practices that are not essential! 

> No, because all things are not equal.  We are a few dozens trying
> to support hundreds of thousands.

OK so let us recognise it is important not to offend volunteers who give
freely of their time energy and resources over something which is, on the
scale of things, so insignificant! 

enjoy life! :-)

david S.


David Southwell
Chairman      
CyberCity Ltd            (European agents for CyberCity Inc. BVI)
+44 117 955 8225            CyberCity Technology in Europe
BCDP Technology ++Beyond the Corporate Doorway Processing Solutions++