Request For Candidates: Application Review Board
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Aug 26 15:59:43 BST 2010
On Thu, 2010-08-26 at 15:53 +0200, Martin Pitt wrote:
> Scott Kitterman [2010-08-26 8:58 -0400]:
> > I think that not using maintainer scripts, installing to /opt, running as the
> > user are good steps to support the traditional *nix security paradigm of
> > protecting the systems/root, but for this to lead to a truly lightweight
> > system, we will need to kick it up a level and also protect user level data
> > from such applications unless they are authorized to have access to it.
>
> This sounds a lot like the guest session to me. Perhaps we can recycle
> its AppArmor confinement for this?
While I really like the idea of trying to sandbox applications, this may
not be the best approach for an app store. This is all about trust. You
can't gain trust by using technical means to restrict what an
application can do.
App stores that are on the iPhone and Android devices don't let
anonymous people upload applications. The store owner knows _who_ the
application authors are by signing legal contracts with them, and
obtaining their legal personal information and/or credit card numbers.
Application users can flag applications as being malicious, the store
owner can ban malicious publishers, and remotely uninstall malicious
applications. _That_ is the trust that is put in the store owner by the
user.
Of course, this doesn't totally prevent malicious applications, but it's
a _lot_ safer and easier to control than trying to sandbox every app on
a general-purpose operating system.
Installing an application with user privileges is a bad idea.
Application software should not be vulnerable to tampering, either
accidentally by the user himself, or by malware running in the user's
security context. This will make the apps installed via the app store
unreliable and susceptible to be trojaned. One of the reason that Linux
is more reliable than other operating systems, is that a user can only
muck up his own directory. Let's not mess this up by using security as a
pretext.
Just my 2c...
Marc.
More information about the ubuntu-devel
mailing list