Untrusted software and security click-through warnings

Scott James Remnant scott at ubuntu.com
Tue Oct 2 21:39:58 BST 2007 

On Fri, 2007-09-28 at 15:56 +0100, Ian Jackson wrote:

> Conclusion: Ubuntu systems should not provide a smooth `click through'
> route to the installation of untrustworthy software.
> 
> Untrustworthy software includes all software which we don't have some
> reason to trust.  This means:
> 
>  * No click-through installation of downloaded .debs
>  * No click-through addition of arbitrary apt repositories or keys
>  * No click-through installation of arbitrary browser plugins
>  * No click-through addition of PPAs without further policy controls
> 
> What _is_ OK is:
> 
>  * Yes, click-through installation of .debs already in Ubuntu
>  * Yes, click-through installation of browser plugins provided in Ubuntu
>  * Yes, click-through installation of media codecs provided in Ubuntu
>  * Yes, click-through addition of PPAs whose uploaders we bless
>     and for which someone will provide security support
> 
One way to support this would be through a trust chain.  Click-through
is permitted if the repository Releases file is signed by the Ubuntu GPG
key or by a key signed by the Ubuntu GPG key.

Repository owners would apply for this signing in the manner you
suggest.

This would not prevent legitimate third-party application repositories,
but would prevent random joe ones.


Unfortunately I agree with Kees that this won't actually stop anybody.
Once a user is determined to install a piece of software, they will
follow all of the instructions that tells them how to do it.

The only thing this will stop is users clicking on an apparently
innocent link and having software installed on their machine without
their knowledge.


A similar effect could be gained by making the [Install] button a
specific control that couldn't be faked, thus users would know that by
clicking it they were installing a piece of software.

Yes, that won't stop them installing software they think they want that
is actually bad, but nothing will stop that.

Scott
-- 
Scott James Remnant
scott at ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20071002/41e50daf/attachment-0001.pgp

More information about the ubuntu-devel mailing list