PPA security (was: Debian mirrors and MITM)

To: debian-security@lists.debian.org
Subject: PPA security (was: Debian mirrors and MITM)
From: "W. Martin Borgert" <debacle@debian.org>
Date: Fri, 30 May 2014 20:41:20 +0200
Message-id: <[🔎] 20140530204120.Horde.zO1CETEdnp5Glvdc16AYxw5@webmail.in-berlin.de>
In-reply-to: <[🔎] CAKS89Grgnv6YJ2QakyDUxXRK97kA6RHwsFbH2dEXU81EBM+BZw@mail.gmail.com>
References: <[🔎] 1401455611.6597.123286253.5D5A44D8@webmail.messagingengine.com> <[🔎] 90ebee24-e7fd-11e3-89ae-00163eeb5320@msgid.mathom.us> <[🔎] f2a5e71e-e7fd-11e3-bb9d-00163eeb5320@msgid.mathom.us> <[🔎] 1401456637.10889.123292765.031DBFDA@webmail.messagingengine.com> <[🔎] F8CB8B56-FBF3-471D-9C06-94F03F05ED63@vianet.ca> <[🔎] 1401457832.14998.123299485.589AA83E@webmail.messagingengine.com> <[🔎] 20140530141153.GB29891@mathom.us> <[🔎] 1401460379.27062.123315561.30584D1D@webmail.messagingengine.com> <[🔎] d07185d6-e807-11e3-8a0e-00163eeb5320@msgid.mathom.us> <[🔎] 1401461172.30245.123322097.6B61A862@webmail.messagingengine.com> <[🔎] 90cece00-e809-11e3-b232-00163eeb5320@msgid.mathom.us> <[🔎] 1401469422.15642.33.camel@voyager.local> <[🔎] CAKS89Grgnv6YJ2QakyDUxXRK97kA6RHwsFbH2dEXU81EBM+BZw@mail.gmail.com>

Quoting Jeremie Marguerie <jeremie@marguerie.org>:

Thanks for bringing that issue! I feel the same way when I install a
packet from a non-official PPA.


Unfortunately, every package can do anything: pre-inst, post-inst,
pre-rm, post-rm run as root. If you don't trust a PPA the same way
you trust your OS vendor (Debian, Ubuntu or whoever), install only
in a VM or a container (not sure, whether a docker container is
considered safe enough, but chroot is not sufficient).

Alternatively, download the package, unpack it, remove maintainer
script or check them carefully, check for s-bits on binaries etc.
repack it and install. I'm probably missing more checks here.

While it would be nice to have sth. like "less trusted sources" and
allow their packages only certain kinds of install/de-install
operations (i.e. no maintainer scripts) etc., it's  hard to get
right and a broken solution would put users at risk.

Cheers

Reply to:

Follow-Ups:
- Re: PPA security (was: Debian mirrors and MITM)
  - From: Paul Wise <pabs@debian.org>

References:
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Reid Sutherland <reid@vianet.ca>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Alfie John <alfiej@fastmail.fm>
- Re: Debian mirrors and MITM
  - From: Michael Stone <mstone@debian.org>
- Re: Debian mirrors and MITM
  - From: Hans Spaans <hans@dailystuff.nl>
- Re: Debian mirrors and MITM
  - From: Jeremie Marguerie <jeremie@marguerie.org>

Prev by Date: Re: Debian mirrors and MITM
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: Debian mirrors and MITM
Next by thread: Re: PPA security (was: Debian mirrors and MITM)
Index(es):
- Date
- Thread