On Thu, Jun 24, 2021 at 01:30:18AM +0000, Seth Arnold wrote: > This is in contrast to our apt and snap configuration, where only updates > can be installed without authentication, but new packages require using > sudo or a polkit 'admin' authentication to ensure a human is in the loop.
I just had update-manager pop up and prompt me to accept some updates, including some kernel updates. It then asked me for my password before proceeding. Having read your description of what is supposed to happen above, I found this surprising. I assume this happened because kernel updates always involve installing "new" packages. So it seems to me that I may or may not be prompted for authentication on a regular update, depending on what apt has decided is required. This isn't a rare occurrence, presumably because kernel updates are frequent. This behaviour seems surprising to me and it occurs to me that it sort of defeats the point of allowing package upgrades without authentication anyway. It'd be nice if things could be arranged not to require authentication for new packages if and only if those new packages are suggested by apt as part of dependency resolution (as opposed to extra packages by user request). Failing that, maybe it'd be better to either always require authentication, or never require authentication? Because otherwise it's just inconsistent and it therefore becomes meaningless from a user's perspective to sometimes skip authentication. And from the other side it'd be better not to train users to just enter their password whenever they're prompted by automatic "pop-up" machinery. The danger here is that a malicious app could pretend to be update-manager and then request something more nefarious via polkit. If the configuration is changed, then this might also change your view on what Flatpak on Ubuntu should do by default. I think the TB's request for Ubuntu Security Team input still stands; I just thought I'd add this additional feedback. Thanks, Robie
signature.asc
Description: PGP signature
-- technical-board mailing list technical-board@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/technical-board
