I've seen about my billionth discussion about the splintering of linux distributions.  The simple fact that choice doesn't make people interested in using something.  If that made people happy, then blank paper would be the internet!  Nothing allows open choices like a blank piece of paper - but you have to do the work.  When you stare at a blank piece of paper, your mind churns with ideas but it takes time to put anything interesting or useful down.  (See writer's block)

 Who wants to write their own daily paper from scratch every day - no one!  We pay to have someone deliver it to our doors.  Who even wants to write their own news?  Eck!  Who wants to compile their own software...or debug their kernel dumps?

Linux has all the choices you could possibly want, but not one variant has all of the features most want/need.  Some call this progress because you get to make a choice, but it isn't.  Its just an overly splintered OS.  Just build one version that does all of this stuff (well of course).  If all these linux developers were forced to work on a single linux version, it would be incredible!  We'd have a featureful, stable OS for most everyones needs.  This could take down Microsoft, nothing less will. 

So its clear by market analysis, psychoanalysis, etc, that the primary key to a software's success is not how free it is, but rather how featureful it is.  Linux is horrible at providing a standard process for configuration modification.  Every config file could be in about a dozen different locations with a dozen different syntaxes...just in the last 6 months.  ;)

I think if the linux community had the kohones they could reverse their years of wallowing in about a year by picking a single variant and closing development on all others.  Within 356 days this OS would be close to useful for everyone.  Within another 365 days it would be robust.  Microsoft stock would plunge as vendor after vendor noticed business after business switch to OneLinux and introduce useful solutions.  I call it the two year plan.  I would also think that goverments would appreciate this consolidation and follow suit by promoting this OS.  Within 5 years, the market would be able to support multiple variants again (but a controlled few) allowing for those special needs.  But the key reason why only one variant of linux is required to make this all work is the developers and the geek community simply can't agree on working for the common good very well and there aren't enough people developing to support more than that (See the list of poor quality and insecure linux distributions here).

So charge as little as you want...I'll download it, but I'll gladly buy something that has what I need and does it well.

    

So, I've been holding off my migration to Community Server 2.1 since I really don't want to deal with the differences yet.  Lo and behold...there is BlogEngine.NET!

Essentially looks like a simple blog engine good for replacing DasBlog.  I'm checking this out as my replacement, making sure I can migrate content over and that'll be that for DasBlog I think.

I got to go to LA for CISSP training.  It was nice although I didn't get to explore much.  Deckard would be proud...

A nice shot of the Bradbury Building:

I have passed my CompTIA Security+ exam and I'm now Security+ and MCSA:Security 2003 certified!

 

 

 

    I have setup CS 2.1 for my new blog content at http://ydns.no-ip.com/cs/blogs/ydns/default.aspx.  Probably gonna abandon DasBlog as it is infrequently updated and lacks the feature set of Community Server.

Trust is an reliance on the integrity or nature of a entity.  It does not protect you.  Just assures you of its virtue of topic.  So, you can have trust of identity, trust of intent, trust of protecting your credit card number, etc.

Validation is what is used to determine the state of trust.

Website use SSL certificates to provide a level of security for users.  The nature of those certificates is built upon a "chain of trust" that emanates from their root certificate, held by some other entity usually.  So the reason you don't need to fear someone seeing your email on gmail is not that it has been encrypted per say, but that the only entity that can see that traffic is actually Google.  If Google sold their SSL certificates private key, they would risk exposing everyone's email to that buyer.  Hmm...quite a lucrative market there I bet.  :)

 Trust is a odd thing.  If you have to prove it did you have any to begin with?  So why call it trust, why not call it something else like Validated Identity Recognition - "I see that certificate and I have determined it to be proof of your identity so lets talk in private now".  You have essentially validated Google's identity in the example above, not placed trust in them.  Hey, they may not have a clue how to protect their servers or customers.

So why mention this distinction?  Well it seems that there is one current problem with open source - a lack of trust.  I don't play with guns because I don't trust them in the situations I would place them in; Leaving them unsecured for hours a day, etc. Trust isn't the only thing encouraging someone to buy a product though.  There are lots of reasons.  But I suspect companies see things differently.  Users (and companies) don't trust this stuff just because they could take a look at its code.  Most users have no clue how to review code.  They also have no reason to trust something based on its existence.  That's like trusting a bomb because you see it.  Exactly not what you would do.

So the point I'm making here is that somehow it becomes important to increase the amount of trust related to open source projects.  It therefore becomes necessary to give "outsiders" a standard method of accepting (or refuting) the measure of trust of a open source project.

So why not start creating a trust based solution for open source projects.  A way of saying "I've reviewed the project or part of it and I can validate it does what it is supposed to".  Repeated hundreds of times for a project and you can begin to see how "supporters" and developers" begin to assign levels of trust to specific people.  I trust ProjectX so therefore I trust developer John.  Or vice-versa.

Using things like certificates as a identity placeholder, you can associate Trust Points in some public manner that enforces the notion of trust in open source projects.  So as you gain Trust Points in general you may be generally more accepted regarding your input to a project.  This is kind of like the forum policing that moderators (and user) perform, but in reverse.  Don't focus on tearing a person down.  Instead focus on building up trust.  Those that continue to fail in that regard will not achieve much trust.  The same for projects.

I can see modules being implemented similar to blogs posts using Captcha, but signing with a public cert.  Since you can only sign once, re-signing is irrelevant and easily blockable.  Getting around the system becomes difficult and only coersion is a concern.  So could you either convince or force others to sign?  Of course.  That is certainly a risk here, but no more then other repudiation systems.  You could be notified and have the ability to renounce a signing (with limited options) and an impact on your Trust Status.

I think this idea of Project Trust has merit and could even be implemented in companies on a much smaller scale for internal projects.  More or less rated on their quality of work rather than the trust that they aren't putting backdoors in, but both are still relevant.

So validate the code, then trust the code.