1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking Benchmarking Platform
Phoromatic Test Orchestration

Ubuntu Still Trying To Lock Down Third-Party Debs

Ubuntu

Published on 08 May 2012 11:49 AM EDT
Written by Michael Larabel in Ubuntu
15 Comments

In the name of security, Ubuntu developers are looking at ways to lock-down or verify the way third-party Debian packages are handled on Ubuntu Linux.

On Monday afternoon in Oakland was a session entitled Secure distribution of third-party .debs. This session was described as, "Care has been taken over the years to ensure that clicking a link to an executable on a website doesn't cause untrusted code to be run, and that all package downloads from the Ubuntu archive and from PPAs can be done securely. But lots of community and third-party documentation directs users to download unsigned .debs from websites and install them, and software center facilitates this. We need to examine the security around third-party packages."

This matter isn't new but has been visited a few times now over recent Ubuntu development cycles but with no solution materializing. Developers are trying to decide how to treat .deb packages that are found on the Internet and not within the Ubuntu/Debian archive, Ubuntu developers want to promote pushing software through the Ubuntu Software Center, and other measures to safeguard Ubuntu/Debian packages.

The notes from yesterday's third-party Deb discussion can be found here. The notes are also embedded below for those without Ubuntu Single Sign-On access.
= UDS-Q Session notes =
New repos on user system?
- ideally only for a subset of packages
What to do with .debs that are just found off the internet
- sources are many (download links, checkinstall things)
- man in the middle attacks are plausible, especially if you don't get via https
Some stuff has disappeared from partner (eg Opera)
- we want them to go to developer.ubuntu.com these days (show up in software center)
- some partners don't want canonical to distribute their software
-
Why aren't some third parties using developer.ubuntu.com now?
- Third party needs to build packages for more than Ubuntu (Red Hat / Debian / etc)...simpler to just have Jenkins build the Ubuntu packages and put them alongside the same web server
What sort of tools can we do to help this?
- Being able to anotate that a particular archive can only install certain packages (eg this repo can only install package named googletalk)
- protects from accidents, but not malicious packages
- Software center does have some automated analyses of packages now (and complains about terrible Adobe packages properly)
- dpkg-maintscript-helper now has debhelper support
- Are there any other things we're doing properly in maint scripts that aren't in debhelper?
- Create a metadata format about a repository
- GPG signature
- repository name/url/who runs it
- present it differently in UI?
- do this instead of third parties shipping .debs to users that add repos (do they do this in maintainer scripts or with just files?)
- previous discussion on how to add a repo with file-format: https://wiki.ubuntu.com/ThirdPartyApt (need extension for icon/description)
- pkgme is the solution to a lot of third parties ending up with .debs but no .dscs, so we can then upload these (mostly-binary) source packages to myapps
- installs stuff into /opt and so on
- What about things that _have_ to go out of /opt?
- .desktop files
- icons
- links in the path?
- These sorts of exceptions are defined by the tech board
- The static analysis tool would need to recognize these file types and such, but feeding back into this process (eg defining a new white-listable outside of /opt thing) would require a long process.

Do we have a lintian profile for 3rd party packages?
- apt-daemon has lintian as an optional feature
Having static tool to gather data before making a decision about what to do?

About The Author
Michael Larabel is the principal author of Phoronix.com and founded the web-site in 2004 with a focus on enriching the Linux hardware experience and being the largest web-site devoted to Linux hardware reviews, particularly for products relevant to Linux gamers and enthusiasts but also commonly reviewing servers/workstations and embedded Linux devices. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics hardware drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated testing software. He can be followed via and or contacted via .
Latest Linux News
  1. Mesa 10.5.6 Brings Fixes All Over The Place
  2. NVIDIA's Proprietary Driver Is Moving Closer With Kernel Mode-Setting
  3. The Latest Linux Kernel Git Code Fixes The EXT4 RAID0 Corruption Problem
  4. Features Added To Mesa 10.6 For Open-Source GPU Drivers
  5. Ubuntu's LXD vs. KVM For The Linux Cloud
  6. Fedora Server 22 Benchmarks With XFS & The Linux 4.0 Kernel
  7. GCC 6 Gets Support For The IBM z13 Mainframe Server
  8. Fedora 22 Is Being Released Next Tuesday
  9. OpenWRT 15.05 Preparing Improved Security & Better Networking
  10. Using The New LLVM/Clang OpenMP Support
Latest Articles & Reviews
  1. The Latest Features For Linux Performance Management + Benchmark Monitoring
  2. Noctua NH-U12DX i4 + NF-F12
  3. Btrfs RAID 0/1 Benchmarks On The Linux 4.1 Kernel
  4. The State Of Various Firefox Features
Most Viewed News This Week
  1. The Linux 4.0 Kernel Currently Has An EXT4 Corruption Issue
  2. The Linux 4.0 EXT4 RAID Corruption Bug Has Been Uncovered
  3. AMDGPU Open-Source Driver Code Continues Maturing
  4. Microsoft Open-Sources The Windows Communication Foundation
  5. Another HTTPS Vulnerability Rattles The Internet
  6. Systemd 220 Has Finally Been Released
  7. LibreOffice 5.0 Open-Source Office Suite Has Been Branched
  8. Will Ubuntu Linux Hit 200 Million Users This Year?