[rfc][icedtea-web] "Always trust content from this publisher" defaulting to checked

Andrew Azores aazores at redhat.com
Tue May 20 18:59:24 UTC 2014 

On 05/20/2014 02:54 PM, Omair Majid wrote:
> * Andrew Azores <aazores at redhat.com> [2014-05-20 14:46]:
>> On 05/20/2014 02:28 PM, Omair Majid wrote:
>>> * helpcrypto helpcrypto <helpcrypto at gmail.com> [2014-05-20 14:20]:
>>>> For our company, the less users have to think/do, the better.
>>> I think this is the right approach. If you prompt users all the time,
>>> even for things they have trusted before, they are likely to start
>>> accepting all prompts. It would be disasterous if they accidentally
>>> accepted a malicious signed applet.
>> We already prompt the users *a lot*, and we do it with defaulting to always
>> trusting the applet in the future. Accepting a malicious applet is bad,
>> *always* accepting it is worse...
> It's a bug if we check the "accept-by-default" box by default for an
> applet not signed by a trusted CA.

I'm not saying the current behaviour is buggy, I'm just saying I don't 
know if I agree with the choice of defaulting it to always accepting for 
the user in the future.

>
>>>> My two cents: leave it checked.
>>>> My two cents (2): I really don't care :P
>>> Agreed. Lets make sensible decisions where we can, but allow users to
>>> override them.
>>>
>> IMO the more sensible choice is to not, by default, assume the user will
>> "always trust" any applet at all. If they want to always trust an applet and
>> not ever be asked about it again, I think that should be a decision they
>> actively make, rather than be the default that occurs if they blindly click
>> OK until the applet appears.
> I am not sure I understand what the new model would be. Wouldn't it be
> prompting more and then asking them to understand something make a
> decision (sandbox with appropriate policies vs run) that they are not
> knowledgeable about in general to make?
>
> Thanks,
> Omair
>

I think the "Run" button is obvious enough for users who are not 
informed about the Sandboxing options that they can simply choose Run 
and not worry about it. The new model is the same as the old model 
except without assuming that an applet being signed by a "Trusted CA" is 
really enough to decide that the user really does trust the applet to 
always run on their machine with full unrestricted access.

Thanks,

-- 
Andrew A

More information about the distro-pkg-dev mailing list