On 1/13/06, David M. Besonen <[EMAIL PROTECTED]> wrote: > On Fri, 13 Jan 2006 15:51:20 +0100, Joris Huizer > <[EMAIL PROTECTED]> wrote: > > >you may see this as some problem: > > > >"Isn't running stuff off the net a security risk? > >Isn't that where you get your software from anyway? Zero Install > >automatically performs a number of checks for you (such as checking MD5 > >sums and GPG signatures), and since it doesn't run any of the remote > >code as root, you can try software out safely as a 'guest' user. Once > >downloaded, the programs are run from the cache, without even checking > >the original sites for updates (you have to tell it to update manually)." > > > >That means: no security updates or whatever I guess > > right. this problem is part and parcel of all gnu/linux "bundled > application" solutions that are available atm iirc. no? a trade-off > of less security for greater ease of use by the enduser. > > the upside seems to be that the end-user is less likely to fubar the > whole os if they zero install some malware since the zero install > system says it confines all activity to user space. am i > understanding this correctly? > > peace, > david > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
wow. http://zero-install.sourceforge.net/compare.html reads like "get the facts". "Debian has three separate places where software is installed" What user cares where the package installed? As long as the software works, what's the problem? "Our student just wants to run the software." Good for 'our student'. However, he doesn't own that machine, now does he? He is not responsible for the operation of said machine either. He is however, supposed to use the system within the the policy dictated by the administrator, school, etc. Being able to run whatever you want, could just be an issue in some scenarios. So what now? Have the administrator have to black or whitelist an endless list of packages? No thx, not for this admin. "Running anything as root is a security risk. If the Debian package for AbiWord contains malicious code (or just a simple bug), it will be running that code as root, with full power to do anything it likes to the machine." Well, if you can't trust the software you are installing, much less the system it is being installed upon, well, I'll just leave it at that. (so really, a non-issue) "APT relies on a database to keep track of what's installed and what isn't. This database must be kept in sync with the filesystem... if the user deletes a file to save space, then APT will continue to think that the file is installed." Deleting a system installed file would require the user to have root access. If this is the case, there is no system level security at all. (yet another non-issue) "APT often downloads more than you need. Some packages have been split, for example 'python' and 'python-doc', but most packages require you to download a considerable amount of data that you simply don't need." Eh? Methinks he's confusing debian/dpkg systems with some fairly braindead, albeit popular, bloated packaging system. (swing and a miss) "Despite trying to download every file for every feature of a program you might possibly need, APT still often fails to get things you want. For example: install gqview and open an image. Choose 'Edit in Gimp' from the menu, and you'll get an error complaining that Gimp isn't installed." That's why there are things like apt policies to install suggested packages, or even auto-apt. (omg u loose agane!!!!11) "APT is not scalable: Since every package is installed as root, every package must be carefully checked by a trusted Debian developer." Really now? News to me. Last I checked, debian, maybe ubuntu had the most packages available of any linux distro. And again, security actually matters to some people. Trust the debian team or trust ... whoever. Riiiiiiight. (sorry, no dice) and then they go on to say ... "Anyone can make software available via Zero Install. Trust is for individual users to decide, not the admin, since their choices only affect them." Oh, if that were only how computer security *actually* worked. Yes, sometimes user code can be used to exploit root level vulnerabilities, even under linux. Nice try, though. and then, here: http://zero-install.sourceforge.net/filesystem.html they describe how applications are cached, so that multiple users on the same system only work off of one instance of a program in the zero-install cache. So, exactly how is that only affecting one user again? Right, it isn't. (BZZZZT!) "APT must download the latest package listing for the whole archive before doing anything." Well, I have news for you. If you're on a slow enough connection that you can't stand waiting for the packages list to download, just wait until you try to install any software, either via apt or zero-install. Yeah, go "zero-install" open office. (no cookie) "Upgrading is very slow ... it requires downloading a vast amount of software, most of which won't be used before it's upgraded again." Oh yes, much better to run a system where the older software packages, the ones with possible security issues, stay on the system the longest. Brilliant! Ok, I'll just stop there. Yeah, it's a really slow day at work ;-) -- Noah Dain "Single failures can occur for a variety of reasons that have nothing to do with a hardware defect, such as cosmic radiation ..." - IBM Thinkpad R40 maintenance manual, page 25
