Re: Apturl (security) issues and inclusion in Gutsy
On 25/09/2007 Milan wrote: > And then, before adding a repository, it should print : - > the number of packages the repository provides and - the list of > installed or main packages that may be replaced automatically. Using for > example two dialogs, you would need to click twice on 'Next' to install > it, this would be a minimum protection. Even more: at any time, the user > should be able to easily revert to a pure Ubuntu desktop by disabling > the custom repositories and removing their packages. I agree, in particular, each time you install a package from an unofficial source added with apturl, you should receive a warning, also signaling the URL from which the package comes from, and saying that it's not an ubuntu package. However, I would like to re-point-out that you can already add apt-sources letting the user completely unaware, by using an ad-hoc deb file installed with gdebi, it's just that unofficial repositories are not (yet) doing this. Vincenzo -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Apturl (security) issues and inclusion in Gutsy
Vincenzo Ciancia a écrit : > Adding a way for people to provide user-friendly apt sources without > having to upload screenshots on how to add sources in > "system/administration/sources" (whatever it is called in english) does > not change the overall security model of ubuntu and apt, which is, if > you have the root password, you can do whatever you like to your system, > and if you add an apt source and its gpg key using the root password, > you are authorizing other people to do whatever they want to your system. > The new point is that you can easily add repositories even when you don't know a minimum how apt is working. And once you've added repositories, even pepople willing to help you (by providing new software) can impact in a bad way your desktop, and users will blame Ubuntu for that. Expect to get many non-Ubuntu bugs form users that don't know they are using bleeding-edge software from custom repositories. At least, the first time you add a repository using apt-url, it should warn you in a flashy way wat you're doing, and neeed to to really read the warning. And then, before adding a repository, it should print : - the number of packages the repository provides and - the list of installed or main packages that may be replaced automatically. Using for example two dialogs, you would need to click twice on 'Next' to install it, this would be a minimum protection. Even more: at any time, the user should be able to easily revert to a pure Ubuntu desktop by disabling the custom repositories and removing their packages. I still agree that this feature may lead ubuntu into Windows-like behavior, with unknown programs starting now and then, and an unstable system. We should think twice about it, and wait for apt-url to be really mature (at least, for it to implement all needed security features). -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Apturl (security) issues and inclusion in Gutsy
On 25/09/2007 Wouter Stomp wrote: > > > How is this different from providing links to .deb packages? Users > > > unaware about architectures et al are not really capable to > > > understand comments next to the link either. If they are, you can do > > > the same for apturl links. > > > > > The users don't need to be aware of architectures or anything. But > there shouldn't be links to install programs on websites when they > don't work. The links should be hidden/removed when they won't work > anyway. > > You can currently click on a .deb on any website, you'll receive a couple of questions, if you click "ok" twice, you install a program in your computer, and you run its post-install script as root. The post-install script can add an apt-source, and call apt-get update. It can even import a gpg key. However, this is not any different than writing on a website "please cut and paste 'sudo wget *** && sudo dpkg -i ***'" or "please add this line to /etc/apt/sources.list". Now gdebi has been installed by default on feisty, and helped a lot when installing non-ubuntu-provided software. There are plenty of websites telling users to add apt sources, they do that every day, it's already highly insecure. Adding a way for people to provide user-friendly apt sources without having to upload screenshots on how to add sources in "system/administration/sources" (whatever it is called in english) does not change the overall security model of ubuntu and apt, which is, if you have the root password, you can do whatever you like to your system, and if you add an apt source and its gpg key using the root password, you are authorizing other people to do whatever they want to your system. Again: a gdebi installed package can modify sources.list in its postinstall script, this is no different than providing an apturl link. Vincenzo -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Apturl (security) issues and inclusion in Gutsy
On 9/18/07, Alexander Sack <[EMAIL PROTECTED]> wrote: > On Mon, Sep 17, 2007 at 10:33:15PM +0200, Wouter Stomp wrote: > > 1. It's possible to run arbitrary scripts in the preinst/postrm phase > > of dpkg installation or the installed program itself could be > > malicious. By allowing the repository to be specified the deb can come > > from anywhere. So, you've basically got just a yes/no dialog stopping > > arbitrary code execution. (Not far from UAC and ActiveX in windows.) > > > > This is a feature of deb packages in general. ATM, you can provide > .deb links that will run gdebi by default. The difference of apturl is > that it allows you to ship dependencies of your provided packages as > well. When clicking on a .deb link, the user is given the choice between downloading the file or opening it with an application of the user's choice. Gdebi is only opened when the user chooses to do so. > > > 2. Repositories added through apturl could provide packages included > > in Ubuntu but with higher version numbers with malicious code. > > ... this is a feature, not an issue. > This is not a feature, it is very dangerous. > > > > 3. there should be a VERY OBVIOUS visual indication of whether the > > program is going to be installed from the official repos or some third > > party site (right now it is not) > > If this is not obvious enough, we should take a look. ATM you get at > least a warning because the 3rd party repository is not signed with a > trusted key. > But once you have added the 3rd party repository, it can replace any package without warning. > > > > 4. It is not well maintained. In the two months that it has been in > > the archives, 20 bugs have been reported, none have been fixed. Only > > one had a response and that is a bug about a spelling mistake in the > > package description. (all together it seems to have been uploaded only > > to enable the plugin wizard in firefox to work, after whcich it hasn't > > had any more attention) > > Are there any serious bugs filed? > I think so yes, but it actually doesn't matter if they are serious or not. One of the requirements for inclusion in main (let alone to be shipped on the cd) is that upstream supports and cares for the package. Well here clearly no one seems to care for the package. > > > > 5. It hasn't had a lot of testing. It wasn't mentioned in any of the > > tribe release notes. There hasn't been a post in the dev-link forum or > > on the mailing lists. So not many people know about it or have tested > > it. > > The ffox plugin finder wizard was announced with tribe-5. I agree > though, that we should call for more widespread testing/comments, > especially how we can raise awareness about the security implications > of 3rd party packages. > apturl itself wasn't announced anywhere > > > > 6. It functions for firefox only, even though solutions to enable it > > for konqueror and opera have been provided in bug report. This makes > > it impossible for a website to provide an "install this" link for an > > Ubuntu package. They have to mention that it only works if you are > > running firefox, not if you are a kubuntu user running konqueror for > > example. > > I don't think that this is a valid argument. As you say, there are > solutions for other browsers available. The fact that they haven't > been integrated yet is not an issue of apturl. > But they should be integrated before shipping apturl by default, otherwise it will reflect badly on ubuntu when a link works on ubuntu but not on kubuntu or xubuntu for example because they use a different browser. > > > > 7. There is currently no way for a website to know whether apt urls > > will work on the users operating system. If a website provides an apt > > install link it will be broken for feisty and earlier ubuntu versions > > or other linux distributions, > > How is this different from providing links to .deb packages? Users > unaware about architectures et al are not really capable to > understand comments next to the link either. If they are, you can do > the same for apturl links. > The users don't need to be aware of architectures or anything. But there shouldn't be links to install programs on websites when they don't work. The links should be hidden/removed when they won't work anyway. > > > > 8. making people enter their sudo password in a popup you got from > > clicking on a link on an arbitary website is definitely not secure. > > I see the point of this. We should investigate how we can make the > installer more spoof-proof. IIRC, it shades the application that > started the installer atm, which is a good start and probably hard to > spoof with just HTML mechanisms. Maybe we can add more > prominent/graphical hints that its now the ubuntu install wizard > processing your request? > It should be made a lot harder. Currently it is very easy to spoof. You know that effect that some pages have when an image pops up and the website itself goes gray? Use that and add a popup
Re: 2007 Google Summer of Code in Ubuntu - project results
Hello, I would like to let you know that in the meantime, mousetweaks is also hosted on launchpad: https://launchpad.net/mousetweaks You might want to add its launchpad address to the wikipage about the report of the GSoC 2007 for Ubuntu. Have a nice day. Francesco At 7:17 PM +0200 9/24/07, Matthias Klose wrote: >The 2007 Google Summer of Code is over, and most projects mentored by >Ubuntu are successfully completed with the code finding the way into >the forthcoming Ubuntu gutsy or harty releases. Congratulations to the >successful students and many thanks to their mentors! See > > https://wiki.ubuntu.com/GoogleSoC2007/Results > >This year Ubuntu did start with 20 single projects, 13 projects were >completed successfully (for two projects the mentors were not entirely >happy with the results), two students did drop out of the project, >because they did find a/another job for this time. All students who >did pass the midterm evaluation did pass the final evaluation as well. > >In six of the seven unfinished projects the students were unknown to >their mentors, as reasons for not continuing the project were given >personal things and unforeseen time constraints (i.e. exams). > >To wrap up this SoC we'll have a short meeting on irc (freenode) in >the #ubuntu-meeting channel on Oct 1, 17:00 UTC for students and >mentors. Everybody else is welcome as well. > > >-- >ubuntu-devel-announce mailing list >[EMAIL PROTECTED] >https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-announce -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
