Apturl (security) issues and inclusion in Gutsy

[Alexander Sack]

On Mon, Sep 17, 2007 at 10:33:15PM +0200, Wouter Stomp wrote:
> 1. It's possible to run arbitrary scripts in the preinst/postrm phase
> of dpkg installation or the installed program itself could be
> malicious. By allowing the repository to be specified the deb can come
> from anywhere. So, you've basically got just a yes/no dialog stopping
> arbitrary code execution. (Not far from UAC and ActiveX in windows.)
> 

This is a feature of deb packages in general. ATM, you can provide
.deb links that will run gdebi by default. The difference of apturl is
that it allows you to ship dependencies of your provided packages as
well.

> 2. Repositories added through apturl could provide packages included
> in Ubuntu but with higher version numbers with malicious code.

... this is a feature, not an issue.

> 
> 3. there should be a VERY OBVIOUS visual indication of whether the
> program is going to be installed from the official repos or some third
> party site (right now it is not)

If this is not obvious enough, we should take a look. ATM you get at
least a warning because the 3rd party repository is not signed with a
trusted key.

> 
> 4. It is not well maintained. In the two months that it has been in
> the archives, 20 bugs have been reported, none have been fixed. Only
> one had a response and that is a bug about a spelling mistake in the
> package description. (all together it seems to have been uploaded only
> to enable the plugin wizard in firefox to work, after whcich it hasn't
> had any more attention)

Are there any serious bugs filed?

> 
> 5. It hasn't had a lot of testing. It wasn't mentioned in any of the
> tribe release notes. There hasn't been a post in the dev-link forum or
> on the mailing lists. So not many people know about it or have tested
> it.

The ffox plugin finder wizard was announced with tribe-5. I agree
though, that we should call for more widespread testing/comments,
especially how we can raise awareness about the security implications
of 3rd party packages.

> 
> 6. It functions for firefox only, even though solutions to enable it
> for konqueror and opera have been provided in bug report. This makes
> it impossible for a website to provide an "install this" link for an
> Ubuntu package. They have to mention that it only works if you are
> running firefox, not if you are a kubuntu user running konqueror for
> example.

I don't think that this is a valid argument. As you say, there are
solutions for other browsers available. The fact that they haven't
been integrated yet is not an issue of apturl.

> 
> 7. There is currently no way for a website to know whether apt urls
> will work on the users operating system. If a website provides an apt
> install link it will be broken for feisty and earlier ubuntu versions
> or other linux distributions,

How is this different from providing links to .deb packages? Users
unaware about architectures et al are not really capable to
understand comments next to the link either. If they are, you can do
the same for apturl links.

> 
> 8. making people enter their sudo password in a popup you got from
> clicking on a link on an arbitary website is definitely not secure.

I see the point of this. We should investigate how we can make the
installer more spoof-proof. IIRC, it shades the application that
started the installer atm, which is a good start and probably hard to
spoof with just HTML mechanisms. Maybe we can add more
prominent/graphical hints that its now the ubuntu install wizard
processing your request?

> 
> 9. apturl in its current version doesn't show the package description
> so people don't have a clue about what they are about to install other
> than the information provided on the website

The package description always relies on what the package author
provides. Either you trust the package provider or you don't.

However, I agree that its worth a wishlist bug to show the package
description in the package install confirmation dialog.


 - Alexander