Re: Limiting the power of packages

To: "Enrico Weigelt, metux IT consult" <lkml@metux.net>, Lars Wirzenius <liw@liw.fi>, debian-devel@lists.debian.org
Subject: Re: Limiting the power of packages
From: Philipp Kern <pkern@debian.org>
Date: Thu, 4 Oct 2018 14:42:35 +0200
Message-id: <[🔎] 83033d23-0dd8-0be0-8bd4-462e947fa89b@debian.org>
In-reply-to: <[🔎] b858cc86-a418-0bbf-a179-a6e287104492@metux.net>
References: <[🔎] 20181003171917.GB2043@exolobe1.liw.fi> <[🔎] b858cc86-a418-0bbf-a179-a6e287104492@metux.net>

On 04.10.2018 13:17, Enrico Weigelt, metux IT consult wrote:
>> (Note that I'm not saying Microsoft or Google are doing something
>> nefarious here: 
> 
> But I do think that. If they really wanted to do that in a reasonably
> secure and safe way (assuming they're not completely incompetent),
> they'd split off the sources.list part from the actual package (there're
> many good ways to do that), and added proper pinning to reduce the
> attack surface.
> 
> And they would have talked to the Distros about a proper process of
> bringing Skype into Distro repos.
> 
> OTOH, considering the tons of other bugs and design flaws, I'm not
> really sure whether they're nefarious or incompetent, maybe a mix of
> both ...

It's not like Debian provides a way that nicely integrates with the
system except by what they are doing. Yes, one could ship a pin to limit
to specific packages, but from the point of the vendor there's no threat
here: They know what they are going to ship. And from a vendor point of
view you actually want to have the agility to rotate the GPG key in use,
to switch to a different hosting place, and to ship more packages as
required. So it's just that your and the vendor's assumptions mismatch.

Ultimately what most users want is something that is kept up-to-date. At
the point where they decided that they want (or need) to use a vendor's
software, it's not really our business anymore to tell them off. You
yield full control to the vendor at that point, just like Debian has
full control of your system.

If we had a sensible way to report back binary provenance, we could at
least call out when a vendor did something nefarious. (Like serving a
trojan to a specific user.) But we don't.

And to the point of nefavious vs. incompetence: The truth is that most
companies employ software engineers to do the packaging. Apart from
Linux being a small market for most of this software, it is also
something they are not necessarily familiar with or would need to hire
some kind of specialist for. I understand that you are in that business.
But at the same time most programmers assume that it's just a small
matter of programming and it can't be that hard to integrate with
another system. They can't really anticipate the bugs. But we at least
need to hold them accountable to listening to feedback.

> That way, the vendors could just pick some minimal base system (maybe
> apline or devuan based) [...]

That's also where you lost me, FWIW.

Kind regards
Philipp Kern

Reply to:

References:
- Limiting the power of packages
  - From: Lars Wirzenius <liw@liw.fi>
- Re: Limiting the power of packages
  - From: "Enrico Weigelt, metux IT consult" <lkml@metux.net>

Prev by Date: Re: Limiting the power of packages
Next by Date: Re: Problem sending my key to keyring.debian.org
Previous by thread: Re: Limiting the power of packages
Next by thread: Re: Limiting the power of packages
Index(es):
- Date
- Thread