Announcement

Collapse
No announcement yet.

Ubuntu Still Trying To Lock Down Third-Party Debs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ubuntu Still Trying To Lock Down Third-Party Debs

    Phoronix: Ubuntu Still Trying To Lock Down Third-Party Debs

    In the name of security, Ubuntu developers are looking at ways to lock-down or verify the way third-party Debian packages are handled on Ubuntu Linux...

    http://www.phoronix.com/vr.php?view=MTA5ODg

  • #2
    Here's my proposal:

    When a user downloads a third-party .deb from an unverified source and tries to run it, the following dialog box is displayed:



    It's been around for a while.

    Comment


    • #3
      Don't

      I say don't. if the user wants to use third party apps, let them, and let them face the consequences. For not included apps, do something like Chakra has done with bundles (installs as normal user, runs in "sort of a" jail. Tweaking should stop being sugarcoated : you get a system, you screw it up with third parties, your problem. Most uses I see for third-party repos are updates without updating the system (then I get a call to repair everything that f***ed up), apps not in the USC are usually pretty specific use cases though, so an OBS-like system to create package for USC would help there.

      Comment


      • #4
        dpkg and gdebi already do this for you. if you try installing something that is obsolete or already in the repositories, the program warns you. the only difference is the user would have already wasted their time downloading the package.

        i think a more realistic problem to fix is preventing people from downloading packages such as .rpm when ubuntu (by default) doesn't support them.

        Comment


        • #5
          Originally posted by schmidtbag View Post
          dpkg and gdebi already do this for you. if you try installing something that is obsolete or already in the repositories, the program warns you. the only difference is the user would have already wasted their time downloading the package.
          Exactly. No need to make my life (or anyone else's) any harder than that.

          My proposed solution is elegant because of its flexibility: inexperienced users will be warned of the possible dangers while power users who understand the risks (and usually know exactly what the installer does) are free to do their thing. Making people's life more difficult is hardly a solution.

          Originally posted by schmidtbag View Post
          i think a more realistic problem to fix is preventing people from downloading packages such as .rpm when ubuntu (by default) doesn't support them.
          And don't you dare try to prevent me from downloading what I want.

          Comment


          • #6
            Originally posted by M1kkko View Post
            And don't you dare try to prevent me from downloading what I want.
            well I don't mean literally prevent it, just as another warning that encourages preventing. So for example you go to download a package and as soon as a .rpm file is detected in your downloads folder, a background process will create a popup message warning the user that what they're downloading is not intended to be used in ubuntu and could otherwise cause problems.

            Comment


            • #7
              System Restore

              Why not integrate some sort of system restore feature where if the package does mess up the system or anything else then you can just "restore" back before you installed package xyz.

              This should be included anyways by default and should be part of the recovery menu at boot, this would help sell ubuntu even more.

              However this could in turn make people want to install untrusted software even more because they feel they will be safe in the event something goes wrong.

              Comment


              • #8
                Originally posted by acrazyplayer View Post
                Why not integrate some sort of system restore feature where if the package does mess up the system or anything else then you can just "restore" back before you installed package xyz.
                With btrfs/LVM snapshots, this is actually surprisingly easy to implement, at least on a sequential basis, which is just as good as Windows Restore.

                Comment


                • #9
                  As if anything will change... I'll go out on a limb to say that when most users will want to get something, and USC doesn't provide it: they'll still want to get it.

                  Comment


                  • #10
                    Chewi:

                    With btrfs/LVM snapshots, this is actually surprisingly easy to implement, at least on a sequential basis, which is just as good as Windows Restore.
                    Ext4 could have the same features as well which would make things even easier.

                    Comment


                    • #11
                      Originally posted by Chewi View Post
                      With btrfs/LVM snapshots, this is actually surprisingly easy to implement, at least on a sequential basis, which is just as good as Windows Restore.
                      Just as good? It's a lot better, and it's already working. We call it Snapper, at least here on openSUSE.

                      Comment


                      • #12
                        I like how Android shows what permissions an App requires to function on your device. I know a desktop OS is not the same, but it would be nice direction to head. That way when you decide to install, the deb tells you what level of access it requires. Unfortunately, you'll never get everyone to proceed with caution, but making things too difficult will push people away like UAC did in Vista.

                        Comment


                        • #13
                          How about instead of forcing policies on the users to make it a hassle to install 3rd party software, we instead try to teach the users what to trust and what not to.

                          A few simple guidelines should be enough, things like Ubuntus own repo is considered trustable and should be used when possible. If not, use a signed repo that could be considered trustable. Only install .debs manually if you really really have to, and GDebi on Debian already advices you to install the repo version of a package if it's available.

                          In my opinion, this approach is far superior to automated policies. Remember, the bad guys could always lie. If you tell them the truth before they encounter the lies, they have a fair chance at detecting it.

                          Comment


                          • #14
                            Originally posted by schmidtbag View Post
                            I think a more realistic problem to fix is preventing people from downloading packages such as .rpm when ubuntu (by default) doesn't support them.
                            Why is that an issue? An .rpm won't install, so it's not dangerous (and if you're smart enough to actually use alien to get the package installed, then you're smart enough to realize the risk involved).

                            Comment


                            • #15
                              Originally posted by DanL View Post
                              Why is that an issue? An .rpm won't install, so it's not dangerous (and if you're smart enough to actually use alien to get the package installed, then you're smart enough to realize the risk involved).
                              Well yea, to us it isn't an issue, but its confusing and annoying to newbs. It isn't really a big deal anyway, but I'm just saying, if they're going to make a fuss about 3rd party packages, .rpms are more of an issue than rather being officially supported.

                              Comment

                              Working...
                              X