I compare it to another system:
The creator of a module registers his module on a web site, submitting a hash of his module together with a description. From the web site an administrator with write access reviews his module and submits it into a central database. The module creator cannot write to the database himself.
This database is mirrored read-only to users who download a copy of the database and compare it's signature with a key shipped with the system.
You might recognize this: It's the FreeBSD ports system when used with portsnap!
It misses the digital signature of the module by its owner. But to me this is the critical point. The web site should never have access to the private signature key. Therefore it must be created by the user. But how to we know that the user is trustworthy? He must be identified and his public key must be 'certified' in some way (e.g. by including in the database or by assigning it to a certificate).
This is how 'code signing' works, like it can be found in Windows installers or some Java applications. But it requires 'processes' (application, revocation). While many things can be automated someone has to review the application. Large organizations (like the FreeBSD community) operating for free will probably not be able to handle these processes. Despite that, educating the module creators how to create their keys and keeping them secure would be a difficult task.
I think if the community of module creators is small and well 'educated' your proposed system will probably work. But if your community grows large it will require a lot of work.
|