[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automatic downloading of non-free software by stuff in main



On Thu, Dec 07, 2017 at 01:59:16PM +0000, Holger Levsen wrote:
> On Thu, Dec 07, 2017 at 01:52:07PM +0000, Ian Jackson wrote:
> > Furthermore, this "file is dangerous" attribute ought to be copied
> > much more.
> 
> no, it ought to be the default. all files should be considered harmful,
> unless tagged otherwise.

All files _should_ be considered potentially harmful. Even if tagged
safe. A previously-safe file might become harmful because it happens
to trigger a newly found security bug. Possibly a newly found security
bug that did not exist when the file was tagged safe.

In my opinion, tagging files safe or harmful is not a winning
strategy. I don't think it gives enough benefit to be worth it, and it
doesn't seem to me it actually protects our users very much. An xattrs
tag, in particular, gets lost so very easily, and having it applied
inconsistently means there's a lot of ways in which any protection
based on such a tag gets accidentally or intentionally circumvented.
If we have a "this is safe" tag, instead of "this may be harmful",
then that's also going to get lost often, leading to users getting
annoyed by unintended security warnings all the time.

Obviously it's possible to handle this by treating it as a by every
time a file is copied without its xattr flag. But even from limited
experience, that's going to be a very large number of bugs. If my
security depends on all programs individually doing all the right
things, I won't be feeling very secure.

I don't have a good solution, but I suspect something like QubesOS may
be the way forward. In other worse, isolate all processes into
containers (or virtual machines) of some sort and arrange it so that
this doesn't become too cumbersome to the user. (Disclaimer: I haven't
had time to actually try QubesOS myself, yet.)

The advantage of that approach is that the security gets centralised
into fewer system components. It's less important that, say, Firefox
is secure, if it can't be exploited to do bad things, if the container
stops Firefox from deleting or modifying local files, or making
unexpected network connections, or using too much RAM or CPU or other
local resources. (I'm describing an ideal here, not the state of
current technology.)

-- 
I want to build worthwhile things that might last. --joeyh


Reply to: