Re: ubuntu/snap future

To: debian-user@lists.debian.org
Subject: Re: ubuntu/snap future
From: Andrei POPESCU <andreimpopescu@gmail.com>
Date: Fri, 9 Apr 2021 20:43:58 +0300
Message-id: <[🔎] 20210409174358.redrucdcoglfr6ev@acr13.nuvreauspam>
In-reply-to: <[🔎] CAD8U+g9bXd1dZsLHAsCk_Br=z=F58G+iFdEGO4YxnjvSv_Mwxg@mail.gmail.com>
References: <[🔎] 7892dc19-e457-09fd-428f-cbbc7dcbd2a6@gmail.com> <[🔎] CAMPM96riPJVjSS8pG06Y6AORNDeg2tShpdwUXZADLTwHeyOj+w@mail.gmail.com> <[🔎] 1a11bd48-2b9e-bb98-6484-9c58ba948290@le-bars.net> <[🔎] 06042021124358.217e4671cbea@desktop.copernicus.org.uk> <[🔎] CAD8U+g8h-w7KXVC=Z-XcbYcMA2O1aJpOg12mvRjL0qPBmGcKQg@mail.gmail.com> <[🔎] YG2GtVkun9xsXHlw@randomstring.org> <[🔎] CAD8U+g8w=-nEwPvvUF7tjMyR4RgfQ7v2RPCCvWjSsw_6ZYy6Bw@mail.gmail.com> <[🔎] 20210409072149.GB15724@tuxteam.de> <[🔎] CAD8U+g9bXd1dZsLHAsCk_Br=z=F58G+iFdEGO4YxnjvSv_Mwxg@mail.gmail.com>

On Vi, 09 apr 21, 06:34:32, riveravaldez wrote:
> On 4/9/21, tomas@tuxteam.de <tomas@tuxteam.de> wrote:
> >
> > Is it really unavoidable? Or just a tad less convenient?
> 
> Well, that's a pretty subjective issue, to be honest... ;)
> 
> > Can you pose one concrete use case where it is unavoidable?
> 
> Not sure if *unavoidable* but I didn't found a better solution at the
> time:
> A client for which laptop I'd installed Debian was in job-need of
> using Skype and Zoom. Her employers wouldn't use anything
> else, so, I was looking for the better/safer way to install such damn
> closed-source pieces of soft (in particular I hate Zoom, but that's
> another subjective issue...) in a for anything else fully libre/secure
> perfectly working Debian system.
> I have no idea what the official .deb packages from Skype/Zoom
> do, so, to minimize exposition and control-lost looked for an easy
> way to 'enclose' what those programs could do, and opted finally
> for Flatpak just to avoid any Canonical late-inconvenience...

Just a general reminder: dpkg will execute all maintainer scripts 
contained in the package as root.

Packages can also contain various other files that can have a big impact 
on system security, like system .service files, cron jobs/timers running 
as root, SUID binaries, etc., even if the program itself is (meant to 
be) run only as a regular user.

If you care about the security of your system inspecting the .deb before 
'dpkg -i' is always a good idea (e.g. with mc or so).

If you are adding foreign repositories you are also trusting them for 
all package updates, for *any* package on your system.

By default APT doesn't care from which repository a particular package 
is coming from, as long as it has the higher version, and that is easy 
enough to manipulate (e.g. with an epoch). A trusted repository could 
then easily substitute *any* package on your system (kernel, init, 
shell, etc.) via package upgrades.

The repository doesn't even have to be evil, as it could always be 
hijacked by a bad actor.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: ubuntu/snap future
  - From: Brian <ad44@cityscape.co.uk>

References:
- ubuntu/snap future
  - From: George Shuklin <george.shuklin@gmail.com>
- Re: ubuntu/snap future
  - From: Paul Johnson <baloo@ursamundi.org>
- Re: ubuntu/snap future
  - From: Yoann LE BARS <yoann@le-bars.net>
- Re: ubuntu/snap future
  - From: Brian <ad44@cityscape.co.uk>
- ubuntu/snap future
  - From: riveravaldez <riveravaldezmail@gmail.com>
- Re: ubuntu/snap future
  - From: Dan Ritter <dsr@randomstring.org>
- Re: ubuntu/snap future
  - From: riveravaldez <riveravaldezmail@gmail.com>
- Re: ubuntu/snap future
  - From: <tomas@tuxteam.de>
- Re: ubuntu/snap future
  - From: riveravaldez <riveravaldezmail@gmail.com>

Prev by Date: Re: ubuntu/snap future
Next by Date: Re: ubuntu/snap future
Previous by thread: Re: ubuntu/snap future
Next by thread: Re: ubuntu/snap future
Index(es):
- Date
- Thread