[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ubuntu/snap future

On Fri 09 Apr 2021 at 20:43:58 +0300, Andrei POPESCU wrote:

> On Vi, 09 apr 21, 06:34:32, riveravaldez wrote:
> > On 4/9/21, tomas@tuxteam.de <tomas@tuxteam.de> wrote:
> > >
> > > Is it really unavoidable? Or just a tad less convenient?
> > 
> > Well, that's a pretty subjective issue, to be honest... ;)
> > 
> > > Can you pose one concrete use case where it is unavoidable?
> > 
> > Not sure if *unavoidable* but I didn't found a better solution at the
> > time:
> > A client for which laptop I'd installed Debian was in job-need of
> > using Skype and Zoom. Her employers wouldn't use anything
> > else, so, I was looking for the better/safer way to install such damn
> > closed-source pieces of soft (in particular I hate Zoom, but that's
> > another subjective issue...) in a for anything else fully libre/secure
> > perfectly working Debian system.
> > I have no idea what the official .deb packages from Skype/Zoom
> > do, so, to minimize exposition and control-lost looked for an easy
> > way to 'enclose' what those programs could do, and opted finally
> > for Flatpak just to avoid any Canonical late-inconvenience...
> 
> Just a general reminder: dpkg will execute all maintainer scripts 
> contained in the package as root.
> 
> Packages can also contain various other files that can have a big impact 
> on system security, like system .service files, cron jobs/timers running 
> as root, SUID binaries, etc., even if the program itself is (meant to 
> be) run only as a regular user.
> 
> If you care about the security of your system inspecting the .deb before 
> 'dpkg -i' is always a good idea (e.g. with mc or so).
> 
> If you are adding foreign repositories you are also trusting them for 
> all package updates, for *any* package on your system.
> 
> By default APT doesn't care from which repository a particular package 
> is coming from, as long as it has the higher version, and that is easy 
> enough to manipulate (e.g. with an epoch). A trusted repository could 
> then easily substitute *any* package on your system (kernel, init, 
> shell, etc.) via package upgrades.
> 
> The repository doesn't even have to be evil, as it could always be 
> hijacked by a bad actor.

In response to this well-argued post: which is less risky when not
installing a package from the archives?

  * Install the vendor .deb.
  * Install from the snap store.

-- 
Brian.
Reply to: