I'm sorry, but this bug is all over the place. Initially it was 'make
gdebi harder to use' but it has morphed into a wishlist of desired
behaviors for gdebi leading to a situation where there is no way to
address this bug.
Any user who downloads a deb file and runs gdebi on it is explicitly
trusting that file to do *anything and everything* as root. If we put in
some mechanism for gdebi to alert if something is added to sources.list
or /etc/apt/sources.list.d, the maintainer scripts could easily subvert
it (eg, add something to cron, at, etc, etc), not to mention the
binaries themselves. My feeling is the gdebi portion of this bug should
be marked "Won't Fix" as there won't be a reasonable way to protect a
user from untrusted debs.
Forcing the user to download a file from firefox onto the desktop and
then double clicking it to install via gdebi seems specious and not real
security. The user downloading the deb will dutifully jump through that
hoop without a second thought.
Michael, please let me know if I'm missing something in my analysis. If
not, I suggest marking as Won't Fix and possibly (though I don't think
we should) open another Wishlist bug against firefox requesting gdebi
not be called by firefox.
** Changed in: gdebi (Ubuntu)
Status: Confirmed => Incomplete
** Changed in: gdebi (Ubuntu)
Assignee: (unassigned) => Jamie Strandboge (jdstrand)
--
Make gdebi harder to use (was: Disable support for adding repositories)
https://bugs.launchpad.net/bugs/139227
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
