On Tuesday 13 August 2013 10:01:58 Sergio Schvezov wrote: > On Tue, Aug 13, 2013 at 9:33 AM, Michael Zanetti < > > [email protected]> wrote: > > Hi, > > > > I've just been watching this demo [1] on how to publish click packages. > > Looks > > very promising! However, one question that comes up here is at the > > uploading > > step (3:13 in the video): > > > > The website allows to upload a binary package and a source package. > > However, I > > can't see any connection between those two. How can I be sure that the > > binary > > click package indeed contains an unmodified version of the uploaded source > > package? From what I can see here I could easily publish some source code > > and > > then build a malicious package containing some additional bad code. > > You will be confined by apparmor here and very limited in the bad things > you can do.
I don't agree here. I'm not entirely sure how AppArmor works, but I assume it would block access to, for instance, my address book. If I still want to use that app there must be some place where I can grant permissions to an app to access my address book. This is where I would like to know what the package actually does with my address book and where I would need to rely on the fact that the binary package is indeed an *unpatched* version of the uploaded source package. -- Mailing list: https://launchpad.net/~ubuntu-phone Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
