Re: Our sandboxed apps won't really protect users (was: Re: Darktable Copr)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I missed the subject change here, so I'll pick a seemingly appropriate point in the thread...

On Fri, Sep 11, 2015 at 10:30 AM, Owen Taylor <otaylor@xxxxxxxxxx> wrote:
On Fri, 2015-09-11 at 00:41 -0500, Michael Catanzaro wrote:
> On
> Hi,
>
> You've posed a hard question that we've been ignoring because it's
> hard.

I think you are being unnecessarily alarmist and defeatist here.

The thing to realize is that Fedora has no interest in *preventing*
users from installing arbitrary software on their system. What we have
an interest in is preventing users from being *tricked* into
installing  such software.

> Your key point is: "Packages not represented in Software are installed
> by users now, and these packages will continue to be installed if
> Software deigns to only expose xdg-apps."

I think we have to be clear here that Software currently shows only
software that is built on Fedora servers.

(There is discussion of changing it to allow for disabled repositories
to end up in search results, but these would still be rare exceptions,
carefully selected.)

My key point is that currently, Software exposes Applications (as defined by the GNOME HIG?).  Users are installing applications, and they are installing packages that are *not* applications.  I installed four new python modules on this machine today; none of them were malicious, none were from a third party.   I'm just trying to frame this in an appropriate context;  I'm not sure if language being used here describes the behavior of one specific application on my system, gnome-software, or a system policy.

What xdg-app allows is to make it plausible to greatly *extend* the
set of software - to allow displaying results that are not built by
Fedora.

It can't be a complete wild west - there have to be mechanisms for
reporting abuse, blacklisting apps, etc - but we can very viably allow
people to download and run applications built by 3rd parties, without
making every such app downloaded be able to do *absolutely anything on
the system* as is the case now.

For applications built in Fedora - moving them to xdg-apps provides
incremental benefits, such as having a security vulnerability in an
application be localized to that applications - so there's an incentive
to work in this direction.

But there's no point in just blanking kicking out all existing
applications in Fedora out of Software unless they are packaged as xdg-
apps - that doesn't benefit the user.

> The compromise solution will probably wind up being that Software only
> exposes xdg-apps, like you fear, but I'm going to argue that doesn't go
> nearly far enough. You maybe haven't considered that we have a
> compelling interest to make sure users can run only sandboxed xdg-apps,
> period, so that bad guys can't own users' computers by putting custom
> installers and RPMs up for download on their web sites. But we also
> want to make sure Fedora remains a general purpose OS that the user has
> full control over: we're not respecting the user if we limit what he
> can do like an iThing. The goals are contradictory.

We might want to eliminate the behavior where, currently, you can
click on an RPM link and the RPM is opened by GNOME Software. Or at
least the ability to override the default rejection of unsigned
packages by entering an admin password.

But that doesn't mean that we're preventing people from installing
such RPMS and taking the control out of the system out of the people
using the system.

- Owen

xdg-apps makes sense to me for all those reasons.  The third party stuff is more destructive - although not necessarily less secure - when delivered poorly; xdg-app adoption can combat the issues that come with installing arbitrary packages from the wild.  End users might end up with bundled, unresolved vulnerabilities - but if their preferred third party apps were bundled nicely and available from the vendor, perhaps there'd be fewer folks hanging in to EOL releases.

I'm not against the idea of a computing / content consumption appliance as a Fedora deliverable.  My point is more about market positioning.  A few concepts have been thrown out here:

- Only allow installation of Applications meeting some kind of vetting parameters (leaving aside the implementation.)
- Only allow execution of Applications installed as above.

That's great; Fedora can ship all the favorite Applications this way, and set an example for third party vendors.   However, while I believe that the idea of a locked-down, secure desktop environment has merit, it seems mutually exclusive with the idea of a development workstation - at least without mandating a very specific development workflow.  Most of the Applications I use were installed OOTB, or can easily be installed with Software now; xdg-apps won't change that part of my Fedora experience.  I also use a shitton of command line utilities, editors, language libraries, reporting tools, sysadmin whizbangs, whatever and the context of this discussion ignores all that.

The productization of Fedora was purportedly aimed at enabling the project to target user bases more specifically instead of trying to be everything for everyone. The KDE folks have been refused Edition status at least partially on the basis that Workstation is already the developer-targeting product; meanwhile, the Workstation group seems to focus on content creation and consumption, instead of technology development.  I don't know if there's a brand identity crisis, or if I'm just ignorant of the Workstation goals, or have different connotations for terms like 'developer' and 'workstation', or....

-- Pete
-- 
desktop mailing list
desktop@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/desktop

[Index of Archives]     [Fedora Users]     [Fedora KDE]     [Fedora Announce]     [Fedora Docs]     [Fedora Config]     [PAM]     [Red Hat Development]     [Red Hat 9]     [Gimp]     [Yosemite News]

  Powered by Linux