On Tue, Aug 13, 2013 at 10:33 AM, Michael Zanetti < [email protected]> wrote:
> On Tuesday 13 August 2013 10:01:58 Sergio Schvezov wrote: > > On Tue, Aug 13, 2013 at 9:33 AM, Michael Zanetti < > > > > [email protected]> wrote: > > > Hi, > > > > > > I've just been watching this demo [1] on how to publish click packages. > > > Looks > > > very promising! However, one question that comes up here is at the > > > uploading > > > step (3:13 in the video): > > > > > > The website allows to upload a binary package and a source package. > > > However, I > > > can't see any connection between those two. How can I be sure that the > > > binary > > > click package indeed contains an unmodified version of the uploaded > source > > > package? From what I can see here I could easily publish some source > code > > > and > > > then build a malicious package containing some additional bad code. > > > > You will be confined by apparmor here and very limited in the bad things > > you can do. > > I don't agree here. I'm not entirely sure how AppArmor works, but I assume > it > would block access to, for instance, my address book. If I still want to > use > that app there must be some place where I can grant permissions to an app > to > access my address book. This is where I would like to know what the package > actually does with my address book and where I would need to rely on the > fact > that the binary package is indeed an *unpatched* version of the uploaded > source package. > > I seem to have phrased it wrong; and yes I agree with you and would add that you would also be hit by this possibility with a closed source app. I'm leaving the rest of the story for the folk who designed this.
-- Mailing list: https://launchpad.net/~ubuntu-phone Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
