Usage of apturl in the documentation

Matthew East mdke at ubuntu.com
Sat Sep 27 19:27:00 UTC 2008 

On Sat, Sep 27, 2008 at 5:16 PM, Dougie Richardson
<ddrichardson at btinternet.com> wrote:
> The assertion that it hasn't happened is mute - we are discussing potential exploits.

I don't think that's true - I was pointing out that fooling a user
into installing a potentially risky package is already possible, so
it's relevant that it hasn't happened so far.

Say there is a package called "mysql-openallports" which has a known
vulnerability. A user can be fooled into installing it in either of
the following ways:

* To give your desktop serious bling, install the "mysql-openallports"
package by typing "sudo apt-get install mysql-openallports".
* To give your desktop serious bling, install the
[[apt:mysql-openallports compiz]] package

In the second example, which is the situation that you're concerned
about, the only difference from the first example is that the
malicious editor can disguise the name of the package in the wiki
page. But most beginners will equally happily follow the first
instruction.

> If you are saying that it's a minor concern and the benefits outweigh any concern then that's a different position. However at the moment you're accusing me of paranoia

The word paranoia in my email wasn't intended to be directed at you.
I'd intended simply to make the point that we should be careful about
building up risks which are small or unlikely (from the spec - "the
security implications are small"), or which are already present.

>> And if the Ubuntu development team was happy to enable apt-url in
>> firefox and gnome so that the protocol works on any site where the
>> administration chooses to use it, (and it's clear from the spec that
>> this risk was considered already) then it just doesn't make sense to
>> me to avoid using on the Ubuntu help wiki. I don't think as a team we
>> are well equipped to reconsider an issue already considered by the
>> development team.
>
> I wasn't aware there was a hierarchy and I think that statement implies a disservice to other members of the documentation team.

Why? The Ubuntu development team has a specific security team who
looks at these issues, and as a team is stock full of Linux technical
experts. The documentation team (by its very nature) simply doesn't:
it has writers. That's not a disservice at all, it's just a fact.

That's not to say that there is no one in the team with that type of
technical knowledge, I'm sure there is, but we can't (and shouldn't)
have the same resources as the development team.

> that doesn't preclude me from voicing an opinion

Of course not! That's why I was keen for Vadim to start this thread in
the first place.

-- 
Matthew East
http://www.mdke.org
gnupg pub 1024D/0E6B06FF

More information about the ubuntu-doc mailing list