On Mon, Dec 18, 2017 at 10:42:17AM -0800, Adam Williamson wrote: > On Mon, 2017-12-18 at 12:34 -0600, Chris Adams wrote: > > Once upon a time, Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> said: > > > As part of a tie-in with an American TV show, Mozilla thought it'd be a > > > great idea to silently install a cryptically-named addon in all(?) > > > Firefox deployments. Which can't be turned off. > > > > I thought that this was actually a violation of the packaging policies, > > but I can't seem to find it now; I only see the restriction on software > > the requires downloads to be useful. > > IIRC there used to be a stricter policy that was relaxed as it had > become kinda untenable with the widespread acceptance of addons and > extensions for things like browsers and desktops. I could be wrong, > though. > > > I think simply requiring Mozilla > > to change their policies is unacceptable, as this still depends on a > > third party to properly enforce such policies (and not have any security > > issue that could result in untrusted addons being installed). > > Well, practically speaking we do have to have *some* degree of trust in > our suppliers for apps as large and complex as a web browser or, say, > an office app. Let's face it, practically speaking we're not really > equipped to handle an adversarial relationship there. Even if we say > "we're going to patch out this mechanism", that only really works if we > trust the vendor at least to the degree that we don't believe they'd > insert a harder-to-detect back channel to do the same thing, because > practically speaking we just don't have the resources to audit the > entire Firefox codebase (or even audit changes from some point in time > we consider 'trustworthy' onwards) to ensure they haven't done this. IMHO requesting support for a build flag to disable this ability to remotely push executable code out to user's browser is not unreasonable, and shouldn't make Fedora seem "adversarial", unless there's bigger trust issues at play here. > > IMHO such behavior needs to be disabled by default in any packages > > shipped by Fedora for Fedora to remain a trustworthy distribution. Are > > there any other packages that can silently download and run non-Fedora > > code? > > I dunno about 'silently', but there are certainly other cases of this, > yes. GNOME Software can install GNOME Shell extensions (which are code, > and can do anything with the privileges of the user account running the > shell) from a non-Fedora source (extensions.gnome.org), for instance. It won't install random new extensions without the user having asked for them. At most it would update previously installed extensions to newer versions. Though if someone did compromise the GNOME extensions service, that distinction is fairly academic from a security POV. IOW, a security concious person would not want to allow an communication to the extensions.gnome.org service at all to protect themselves. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
