Re: Ubuntu MATE's Software Boutique and third party sources

[Robie Basak]

Hi Martin,

On Wed, Feb 21, 2018 at 05:26:45PM +, Martin Wimpress wrote:
> I can attend the TB meeting on the 27th, I've rearranged some personal
> commitments so I can be free in the evening. If there is anything we
> can discuss prior to the meeting via email, then we can do that too.
> I'm certainly open to suggestions as to what we can modify to retain
> features that our users find extremely valuable.
> 
> We are currently re-working Welcome and de-coupling the Software
> Boutique into it's own application. Along the way we are cleaning up
> how AptDaemon/PackageKit are used, so the calls to external utilities
> are not required. We also adding support for snaps and Welcome and
> Boutique are going to be delivered as snaps, initially classic but I'm
> talking with the security team to determine what interfaces are
> required so that we can strictly confine both applications yet still
> be able to install software via apt and snap.

The TB has an outstanding action item that apparently awaits a response
from you. It's been languishing a long time, and I suspect is out of
date or missing further action that was already taken. Maybe the email
I'm replying to is actually the expected response from you? Could you
update us on your understanding of the current status of this, please?

Thanks,

Robie


signature.asc
Description: PGP signature
-- 
technical-board mailing list
technical-board@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/technical-board

Re: Ubuntu MATE's Software Boutique and third party sources

[Martin Wimpress]

Hi Steve,

I can attend the TB meeting on the 27th, I've rearranged some personal
commitments so I can be free in the evening. If there is anything we
can discuss prior to the meeting via email, then we can do that too.
I'm certainly open to suggestions as to what we can modify to retain
features that our users find extremely valuable.

We are currently re-working Welcome and de-coupling the Software
Boutique into it's own application. Along the way we are cleaning up
how AptDaemon/PackageKit are used, so the calls to external utilities
are not required. We also adding support for snaps and Welcome and
Boutique are going to be delivered as snaps, initially classic but I'm
talking with the security team to determine what interfaces are
required so that we can strictly confine both applications yet still
be able to install software via apt and snap.

Regards, Martin.



On 20 February 2018 at 22:29, Steve Langasek  wrote:
> Hi Jeremy,
>
> Thanks very much for raising this issue.  As you and I discussed on IRC, it
> appears there was an assumption that the Technical Board was aware of and
> comfortable with the MATE behavior here.  In fact, the exact behavior
> implemented in MATE has not been reviewed by the TB as a body, and I do have
> some serious concerns about how it squares with the policy for archives in
> Ubuntu images (including flavors).
>
> On Tue, Feb 20, 2018 at 03:46:40PM -0500, Jeremy Bicha wrote:
>> Hi,
>
>> My understanding is that the Ubuntu Technical Board has a
>> long-standing policy against enabling PPAs without a formal exception.
>> For background, a request to enable a Unity 8 PPA for 16.04 LTS users
>> was denied. See LP: #1585362
>
>> Software Boutique
>> ---
>> Ubuntu MATE for several releases has shipped a Software Boutique app
>> (source package is ubuntu-mate-welcome). While it respects the letter
>> of the policy (Ubuntu MATE does not enable PPAs by default), the UI at
>> least bends the interpretation of the policy.
>
>> It's fairly easy to try out even without installing Ubuntu MATE. Just
>> grab the 17.10 iso (the 18.04 version of the app hasn't been fully
>> updated for available sources) and run System> Administration>
>> Software Boutique. (The Boutique app is also promoted as part of the
>> Welcome app experience after install).
>
>> There is a large amount of software available for install, some of it
>> comes directly from Ubuntu. Others are not part of Ubuntu at all. A
>> user could easily install the Brave web browser and be unaware that
>> they have enabled a third-party software source and unaware of the
>> consequences of doing that.
>
>> The prominent "Retrieve the latest software listings" link (once
>> "Apply Changes" is clicked) enables the Ubuntu Mate Welcome PPA.
>
> My understanding is that this is the code you've directed me to in the
> ubuntu-mate-welcome package, which allows installing software from a range
> of repositories.
>
> data/js/applications.json within that package is quite illuminating - in
> particular, search for 'apt-key-url', 'apt-key-server', and 'enable-ppa'.
>
> In principle, there is nothing wrong with flavor developers promoting the
> use of a particular ppa.  The problems arise when the flavor enables the ppa
> on behalf of the user, without getting the user's informed consent.  The UX
> around add-apt-repository isn't great, it's awkward and scary - but it's
> that way because you're doing an awkward and scary thing, with significant
> security implications for the system.  You must implicitly trust the
> owner of the ppa you're enabling, and this decision to trust isn't one that
> the MATE developers should be making on behalf of the end user.
>
> The problem is even worse for the non-ppa sources.  By enabling these
> archives, you are expanding the circle of trust to include: whoever
> uploads content to the archive; whoever controls the signing key used (which
> is not Canonical, unlike for a ppa); and in the case of some of the
> archives, everyone upstream of you on the Internet because while the archive
> is secured with GPG, the key used to sign the archive is being downloaded
> over plaintext http.
>
> (Of course, even when you're downloading the key over https, you're trusting
> all of the SSL CAs, because you don't know which one is used to issue the
> certificate of any particular archive provider and you don't want to break
> compatibility, so you just use the default list rather than pinning.
> Unfortunately, it turns out this is not any worse with third-party archives
> than it is with ppas, because add-apt-repository does:
>
>   # Specify to use the system default SSL store; change to a different path
>   # to test with custom certificates.
>   LAUNCHPAD_PPA_CERT = "/etc/ssl/certs/ca-certificates.crt"
>
> This is regrettable, but I think it is probably not worth fixing in the ppa
> case given that we should generally try to encourage use of the Snap Store -
> with its much stronger security story

Re: Ubuntu MATE's Software Boutique and third party sources

[Steve Langasek]

Hi Jeremy,

Thanks very much for raising this issue.  As you and I discussed on IRC, it
appears there was an assumption that the Technical Board was aware of and
comfortable with the MATE behavior here.  In fact, the exact behavior
implemented in MATE has not been reviewed by the TB as a body, and I do have
some serious concerns about how it squares with the policy for archives in
Ubuntu images (including flavors).

On Tue, Feb 20, 2018 at 03:46:40PM -0500, Jeremy Bicha wrote:
> Hi,

> My understanding is that the Ubuntu Technical Board has a
> long-standing policy against enabling PPAs without a formal exception.
> For background, a request to enable a Unity 8 PPA for 16.04 LTS users
> was denied. See LP: #1585362

> Software Boutique
> ---
> Ubuntu MATE for several releases has shipped a Software Boutique app
> (source package is ubuntu-mate-welcome). While it respects the letter
> of the policy (Ubuntu MATE does not enable PPAs by default), the UI at
> least bends the interpretation of the policy.

> It's fairly easy to try out even without installing Ubuntu MATE. Just
> grab the 17.10 iso (the 18.04 version of the app hasn't been fully
> updated for available sources) and run System> Administration>
> Software Boutique. (The Boutique app is also promoted as part of the
> Welcome app experience after install).

> There is a large amount of software available for install, some of it
> comes directly from Ubuntu. Others are not part of Ubuntu at all. A
> user could easily install the Brave web browser and be unaware that
> they have enabled a third-party software source and unaware of the
> consequences of doing that.

> The prominent "Retrieve the latest software listings" link (once
> "Apply Changes" is clicked) enables the Ubuntu Mate Welcome PPA.

My understanding is that this is the code you've directed me to in the
ubuntu-mate-welcome package, which allows installing software from a range
of repositories.

data/js/applications.json within that package is quite illuminating - in
particular, search for 'apt-key-url', 'apt-key-server', and 'enable-ppa'.

In principle, there is nothing wrong with flavor developers promoting the
use of a particular ppa.  The problems arise when the flavor enables the ppa
on behalf of the user, without getting the user's informed consent.  The UX
around add-apt-repository isn't great, it's awkward and scary - but it's
that way because you're doing an awkward and scary thing, with significant
security implications for the system.  You must implicitly trust the
owner of the ppa you're enabling, and this decision to trust isn't one that
the MATE developers should be making on behalf of the end user.

The problem is even worse for the non-ppa sources.  By enabling these
archives, you are expanding the circle of trust to include: whoever
uploads content to the archive; whoever controls the signing key used (which
is not Canonical, unlike for a ppa); and in the case of some of the
archives, everyone upstream of you on the Internet because while the archive
is secured with GPG, the key used to sign the archive is being downloaded
over plaintext http.

(Of course, even when you're downloading the key over https, you're trusting
all of the SSL CAs, because you don't know which one is used to issue the
certificate of any particular archive provider and you don't want to break
compatibility, so you just use the default list rather than pinning. 
Unfortunately, it turns out this is not any worse with third-party archives
than it is with ppas, because add-apt-repository does:

  # Specify to use the system default SSL store; change to a different path
  # to test with custom certificates.
  LAUNCHPAD_PPA_CERT = "/etc/ssl/certs/ca-certificates.crt"

This is regrettable, but I think it is probably not worth fixing in the ppa
case given that we should generally try to encourage use of the Snap Store -
with its much stronger security story on /multiple/ axes - over ppas.)

I see that there are some differences in the display of the different types
of sources; but find no explanations to the user of the implications of
enabling each type.

> Consequences
> ---
> It's a lot of third-party sources that are not vetted or monitored by
> anyone except for the Ubuntu MATE developers.

> My understanding is that all third-party sources are disabled on
> upgrade by ubuntu-release-upgrader and not re-enabled afterwards. This
> is a serious problem. For instance, a user could install Brave in
> 17.10 and a few months later, upgrade to 18.04 and then not receive
> any security updates for Brave any more.

> Also, the Ubuntu upgrader does not run ppa-purge which could cause
> issues on upgrade. I don't know if it affects any of the Boutique
> apps, but it is a problem for some types of repos.

> I think many Ubuntu developers and contributors would consider a
> system with a significant number of third-party repositories like that
> to be in an unsupported state. (?