On ons, 2016-11-09 at 16:43 +0100, Jiri Eischmann wrote:
> Kamil Paral píše v St 09. 11. 2016 v 09:49 -0500:
> >
> > >
> > > One solution would be giving apps an option to add a remote and
> > > install
> > > the required runtime from it, but Alex sees that as a potential
> > > security issue.
> >
> > Can you elaborate? What security issues?
> > Could installing runtime X subvert runtime Y used by other apps,
> > e.g.
> > by claiming that X is an update for Y? In that case I'd expect that
> > GPG keys have to match, or something like that.
>
> Yeah, the app requires the runtime X which is not installed and adds
> a
> remote to install it, but the remote could also contain a malicious
> version of the runtime Y which is already installed and used by other
> apps, and the malicious version overrides it as an update. Then other
> apps get infected.
No, that will not work. When you install an app or a runtime you have
to specify a remote to install it from. This is a trusted operation and
after that we will *only* update that app/runtime from that remote.
The problem is when the runtime is *not* installed. The untrusted
remote could claim to have an "org.gnome.Platform" runtime, which will
then be installed, and at this point you're affecting another app.
So, the most important points of trust is when you initially install
something, as that ties it to the remote and thus the GPG key. Also
somewhat important is when you add a remote that is used for depencency
resolution. Such auto-dependencies always show the name of the remote
that the dependencies will be installed from, so a vary user will
detect strange things, but its easy to overlook this and say "yes"
without thinking.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl@xxxxxxxxxx alexander.larsson@xxxxxxxxx
He's an otherworldly small-town barbarian on the wrong side of the law.
She's a beautiful Bolivian doctor with the soul of a mighty warrior. They
fight crime!
_______________________________________________
desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx
