[wiki] Third party untrusted code instructions

Doug Smythies dsmythies at telus.net
Tue Nov 20 17:07:39 UTC 2018 

On 2018.11.20 07:30 Robie Basak wrote:

> Hi,

Hi,

> I just came across
> https://help.ubuntu.com/community/ManualFullSystemEncryption/DetailedProcessPrepareInstall
> via
> https://community.ubuntu.com/t/can-we-get-real-full-disk-encryption/8802

For some reason your link is a sub-page from the main one:

https://help.ubuntu.com/community/ManualFullSystemEncryption

that contains a disclaimer:

> I'm concerned that this page instructs users to download and run a
> script from Dropbox. It looks well intended, but I think it presents a
> number of problems:

Note that the script itself downloads two others from dropbox.

It also is a moved permanently link, which is a concern right from the start.

> 1) The code hasn't been vetted by a developer trusted by the Ubuntu
> project, unlike all code shipped by Ubuntu itself.
>
> 2) Has anybody at all vetted that the code is safe for users to run?

Well the script is well written and easy enough to read.
That being said, I can not vouch for it.

> 3) A compromise of the unknown Dropbox user's account could lead to
> a compromise of any user's system who follows these instructions after
> that compromise.
>
> 4) More generally, the code could change at any time, out of control of
> the Ubuntu project, without any audit trail, and immediately invalidate
> any previous audit made by community members.

Agreed.

> 5) It normalises the idea that it is OK for users to download and run
> arbitrary scripts from the Internet.

Agreed.

> It is effectively a third party alternate installer. I welcome efforts
> like these, but I don't think they should be presented as "instructions"
> or "documentation" without making it clear that the user is relying on
> the trust of an entire third party program.

Would expanding the current disclaimer a bit and putting it on every
page, not just the main parent page be adequate?

> Arguably this is what
> "Community wiki" implies, but normally I'd expect this to compromise
> documentation, not entire third party programs.
>
> I couldn't find any existing policy on the wiki documentation containing
> guidance on this kind of thing. What is and isn't acceptable for the
> community wiki to instruct users to do?

I'm not sure what to say here. There was obviously a lot of work put
into this, I assume by Paddy. Your points and concerns are valid.
Myself I have very little to do with the wiki stuff.

... Doug

More information about the ubuntu-doc mailing list