Re: ubuntu/snap future
On Fri 09 Apr 2021 at 20:43:58 +0300, Andrei POPESCU wrote:
> On Vi, 09 apr 21, 06:34:32, riveravaldez wrote:
> > On 4/9/21, tomas@tuxteam.de <tomas@tuxteam.de> wrote:
> > >
> > > Is it really unavoidable? Or just a tad less convenient?
> >
> > Well, that's a pretty subjective issue, to be honest... ;)
> >
> > > Can you pose one concrete use case where it is unavoidable?
> >
> > Not sure if *unavoidable* but I didn't found a better solution at the
> > time:
> > A client for which laptop I'd installed Debian was in job-need of
> > using Skype and Zoom. Her employers wouldn't use anything
> > else, so, I was looking for the better/safer way to install such damn
> > closed-source pieces of soft (in particular I hate Zoom, but that's
> > another subjective issue...) in a for anything else fully libre/secure
> > perfectly working Debian system.
> > I have no idea what the official .deb packages from Skype/Zoom
> > do, so, to minimize exposition and control-lost looked for an easy
> > way to 'enclose' what those programs could do, and opted finally
> > for Flatpak just to avoid any Canonical late-inconvenience...
>
> Just a general reminder: dpkg will execute all maintainer scripts
> contained in the package as root.
>
> Packages can also contain various other files that can have a big impact
> on system security, like system .service files, cron jobs/timers running
> as root, SUID binaries, etc., even if the program itself is (meant to
> be) run only as a regular user.
>
> If you care about the security of your system inspecting the .deb before
> 'dpkg -i' is always a good idea (e.g. with mc or so).
>
> If you are adding foreign repositories you are also trusting them for
> all package updates, for *any* package on your system.
>
> By default APT doesn't care from which repository a particular package
> is coming from, as long as it has the higher version, and that is easy
> enough to manipulate (e.g. with an epoch). A trusted repository could
> then easily substitute *any* package on your system (kernel, init,
> shell, etc.) via package upgrades.
>
> The repository doesn't even have to be evil, as it could always be
> hijacked by a bad actor.
In response to this well-argued post: which is less risky when not
installing a package from the archives?
* Install the vendor .deb.
* Install from the snap store.
--
Brian.
Reply to: