Apturl (security) issues and inclusion in Gutsy

Vincenzo Ciancia ciancia at di.unipi.it
Tue Sep 25 13:39:24 UTC 2007

On 25/09/2007 Wouter Stomp wrote:
> > > How is this different from providing links to .deb packages? Users
> > > unaware about architectures et al are not really capable to
> > > understand comments next to the link either. If they are, you can do
> > > the same for apturl links.
> > >
> The users don't need to be aware of architectures or anything. But
> there shouldn't be links to install programs on websites when they
> don't work. The links should be hidden/removed when they won't work
> anyway.

You can currently click on a .deb on any website, you'll receive a
couple of questions, if you click "ok" twice, you install a program in
your computer, and you run its post-install script as root. The
post-install script can add an apt-source, and call apt-get update. It
can even import a gpg key. However, this is not any different than
writing on a website "please cut and paste 'sudo wget *** && sudo dpkg
-i ***'" or "please add this line to /etc/apt/sources.list".

Now gdebi has been installed by default on feisty, and helped a lot when
installing non-ubuntu-provided software. There are plenty of websites
telling users to add apt sources, they do that every day, it's already
highly insecure.

Adding a way for people to provide user-friendly apt sources without
having to upload screenshots on how to add sources in
"system/administration/sources" (whatever it is called in english) does
not change the overall security model of ubuntu and apt, which is, if
you have the root password, you can do whatever you like to your system,
and if you add an apt source and its gpg key using the root password,
you are authorizing other people to do whatever they want to your system.

Again: a gdebi installed package can modify sources.list in its
postinstall script, this is no different than providing an apturl link.


More information about the Ubuntu-devel-discuss mailing list