Re: leaks in our only-signed-software fortress
Am 18.02.2012 15:30, schrieb Josselin Mouette:
Personally I decided to use GNOME-fallback, but via the
meta-packages I
still got the GNOME shell... today
I've noticed that it silently installs an extension, which (I can
only
assume this by the little
description) does some software installation/enabling for GNOME
shell
from extensions.gnome.org.
To me this sounds more like a root-kit than a feature.
No GNOME shell extension is ever downloaded without your consent. The
browser plugin is only here to make this possible. Plugin integrity
is
guaranteed by SSL, and extensions have been checked before being put
on
the website.
Well I guess the problem here are three things:
- Communication
You say now, that GNOME checks all what they put up there, and nothing
is every installed automatically.
This makes things a bit better,... but it's not really obviously
documented.
At least not for a just-a-user like me. Of course one can always say
read the code + go into the developer docs,... but if I have to do this
for everything, than I'm just screwed.
- Trust
I really do not trust GNOME/Mozilla etc. here do do all this in a
secure and right way.
At least for Mozilla there are hundredths of extensions, they surely
can't check them all.
- Bypassing the package management system
IMHO, software in Debian should ONLY be installed by the package
management system with one exception:
When the user really downloads/(optionally compiles)/installs himself.
Especially software should not bring its own package management system
in form of app-store-like thingies.
Of course I know it's difficult to prevent this. Upstreams just do
it... and ways around it (e.g. our Mozilla Extension Packages) are a big
effort for us.
Nevertheless, solve this via packages, would be the right way (IMHO).
Anyway this doesn’t work very well so we’d be better with just
putting
those extensions in another Debian package, but I see this more as a
functional problem than a security one.
Great :)
Cheers,
Chris.
Reply to: