Apturl (security) issues and inclusion in Gutsy

Wouter Stomp wouterstomp at gmail.com
Mon Sep 17 20:33:15 UTC 2007


I would like to discuss the recent inclusion of apturl in the Gutsy
default installation. The idea of apturl is great but the current
implementation has a lot of issues, some of which I will list here:

1. It's possible to run arbitrary scripts in the preinst/postrm phase
of dpkg installation or the installed program itself could be
malicious. By allowing the repository to be specified the deb can come
from anywhere. So, you've basically got just a yes/no dialog stopping
arbitrary code execution. (Not far from UAC and ActiveX in windows.)

2. Repositories added through apturl could provide packages included
in Ubuntu but with higher version numbers with malicious code.

3. there should be a VERY OBVIOUS visual indication of whether the
program is going to be installed from the official repos or some third
party site (right now it is not)

4. It is not well maintained. In the two months that it has been in
the archives, 20 bugs have been reported, none have been fixed. Only
one had a response and that is a bug about a spelling mistake in the
package description. (all together it seems to have been uploaded only
to enable the plugin wizard in firefox to work, after whcich it hasn't
had any more attention)

5. It hasn't had a lot of testing. It wasn't mentioned in any of the
tribe release notes. There hasn't been a post in the dev-link forum or
on the mailing lists. So not many people know about it or have tested

6. It functions for firefox only, even though solutions to enable it
for konqueror and opera have been provided in bug report. This makes
it impossible for a website to provide an "install this" link for an
Ubuntu package. They have to mention that it only works if you are
running firefox, not if you are a kubuntu user running konqueror for

7. There is currently no way for a website to know whether apt urls
will work on the users operating system. If a website provides an apt
install link it will be broken for feisty and earlier ubuntu versions
or other linux distributions,

8. making people enter their sudo password in a popup you got from
clicking on a link on an arbitary website is definitely not secure.

9. apturl in its current version doesn't show the package description
so people don't have a clue about what they are about to install other
than the information provided on the website

Conclusion: apturl is a great idea, but needs some work before it can
be included and enabled by default on Ubuntu. In its current form it
would do Gutsy more harm than good.

With some work I think Gutsy could ship with it if for now it would
only allow installation of packages from the official ubuntu
repositories. Adding of third party repositories by clicking a weblink
is something that at least needs some discussion and imho should not
be done at all.



n.b. link to apturl bug list: https://bugs.launchpad.net/ubuntu/+source/apturl

More information about the Ubuntu-devel-discuss mailing list