On Sun, Jul 2, 2023 at 5:01 PM Demi Marie Obenour <demiobenour@xxxxxxxxx> wrote:
On 6/3/23 08:42, Michael Catanzaro wrote:
> On Sat, Jun 3 2023 at 10:26:07 AM -0000, John Iliopoulos <jxftw2424@xxxxxxxxx> wrote:
>> Hello,
>>
>> While i completely understand why you do this i do think that it is
>> important for desktop/workstation oriented devices to have some
>> optional access to Office directly from the image file. Have you
>> considered shipping the LibreOffice flatpak via the ISO much like
>> Fedora Silverblue does with various other applications?
>>
>> This is the first time i reply to a mailing list so i hope i have not
>> done anything wrong.
>
> Hi. Welcome to the list. You haven't done anything wrong.
>
> For Fedora Workstation, the mid-term plan is to ship all preinstalled
> apps as Fedora Flatpaks. We cannot ship anything from Flathub because
> FESCo will not allow it. I don't *like* this FESCo requirement, but I
> also don't expect that to change. Accordingly, since Fedora Flatpaks
> are built from Fedora RPMs, maintaining the LibreOffice RPMs is
> essential to keep LibreOffice preinstalled. (I think that applies to
> Silverblue as well?)
Fedora Flatpaks are also a security disaster: they are shipped in OCI
format instead of OSTree format, but they aren’t signed by anyone.
I’ve disabled the Fedora remote and recommend that others do the same.
I think the words "security disaster" are painting a too strong picture here. When you install a Fedora Flatpak, the digest of the content being installed is checked against the checksums embedded in the index downloaded from (e.g. https://registry.fedoraproject.org/index/static?label:org.flatpak.ref:exists=1&os=linux&architecture=amd64&tag=latest). These indexes are statically generated from data queried from Bodhi and Koji and downloaded from a static web server directly from Fedora bypassing the CDN.
The most obvious way to get malicious content into this index would be to inject it at build time, by adding it upstream, infiltrating the Fedora project, hacking a Fedora contributor, etc. In all of these cases, if we had container signatures, robosignatory would happily sign it when the update was created.
Yes, someone could hack the server hosting the index, get write-access to the mount hosting the indexes, or find some specific way to exploit the indexing process. And in those cases, having checked signatures would help. The first two cases would seem to imply a widespread breach of Fedora infrastructure that would likely affect security of builds as well.
What would be needed to implement signatures would be roughly:
- Implement container signatures in robosignatory/sigul
- Implement distribution of signatures (probably easiest if we move registry.fedoraproject.org to quay.io as planned for a while)
- Implement checkingo of container signatures in the Flatpak client
One thing that helps now is that for a long time there was a lot of uncertainty in where signatures were going in the container world, but at this point, at least Red Hat parts of the container world seems to be solidly behind the approach of https://github.com/sigstore/cosign. (Still a lot of details / moving parts that would have to be researched.)
- Owen
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue