On apturls and repositories

Alexander Sack asac at ubuntu.com
Tue Jun 2 10:03:47 UTC 2009

On Mon, Jun 01, 2009 at 09:48:26AM -0700, Dylan McCall wrote:
> Someone can 'easily' add a repository to a user's system (be it
> maliciously or not) through the following means:
>       * A .deb package that adds a repository to sources.list.d
>       * A .list file (in the format of sources.list, for example) which
>         is then automatically handled by Software Sources administration
>         (software-properties-gtk).
> There is therefore no security gain in apturls not doing repositories.
> All it takes is a simple file that the user downloads and opens to get
> the same thing happening.

The difference is that by design you can trigger apturls from websites
using javascript, which makes it hard for us to ensure that the user
is not tricked into believing that the apturl dialog is something the
user cannot trust. Also on websites you can easily trick users in
doing weird things (like a click game), which makes it harder to
prevent malicious attacks.

Also, the abilitity to trigger .deb installs from the web by a single
click is considered a bug and we look into making ffox and other
webbrowsers not allow that (instead similar to windows .exe downloads
only allow them to be saved and not opened directly from the web).

> ...is this maybe going a bit off base? There are already two methods for
> adding repositories and apturl doesn't strike me as the right design for
> listing public keys to import. (At least not without generating a
> horrifying abomination of a URI). And if it doesn't import public keys
> with some reasonable automation, it will not work for PPAs.

I agree. Instead of talking about allowing PPAs to be enabled through
apturl, we should improve the way PPAs can be enabled in
software-sources and app-center which was also one of the results of
the UDS discussions we had.

 - Alexander

More information about the Ubuntu-devel-discuss mailing list