App installer design: click packages

Alejandro J. Cura alejandro.cura at
Mon May 13 22:05:39 UTC 2013

On Mon, May 13, 2013 at 6:53 PM, Colin Watson <cjwatson at> wrote:
> On Mon, May 13, 2013 at 01:56:43PM -0400, Marc Deslauriers wrote:
>> On 13-05-13 11:05 AM, Alejandro J. Cura wrote:
>> > This thread assumes that packages need to be uncompressed and
>> > installed before usage, so I'd like to ask if there was any discussion
>> > re: using something like squashfs images as the distributed packages
>> > instead of a zip or tar-like file.
>> >
>> > This would mean that such downloaded images can be mounted read-only
>> > by whatever launches applications, using nosuid, nodev, and with the
>> > required uid, and then run immediately, instead of having to go thru a
>> > copy of files from the package to the storage, which slows down
>> > installation and usually requires double the storage space.
>> That would mean we'd need to have a privileged helper to be able to
>> mount application packages at application execution time. There are a
>> lot of security implications of doing something like this, and I fear
>> this would be a substantial attack surface.
> And even if we mounted them all just once at boot, (a) we'd still need
> to use root privilege to mount at application installation/upgrade time,
> (b) any bug in squashfs would now become an easy escalate-to-kernel
> vulnerability exploitable through the app store.  Now, (b) is still true
> for dpkg/tar/etc., but tar is already assumed to take hostile input, and
> the relevant parts of dpkg are mainly shared with unprivileged
> operations such as 'dpkg -c' which are also assumed to take hostile
> input and have had a good deal of attention over the years; and even if
> there is a problem we can at least contain it to a less-privileged
> specialised 'software' user.

Yes, any squashfs overflow sounds scary for this use case, so I'm
convinced now that it's not such a good idea.

Thanks for your replies!

More information about the ubuntu-devel mailing list