[wiki] Third party untrusted code instructions

Paddy Landau paddy at landau.ws
Tue Nov 20 16:02:05 UTC 2018 

Thank you for this, Robie.

Other people have voiced the same concerns.

I am not a developer; when I put together, tested and documented the
system, I was simply putting together pieces created by others.

Someone volunteered to put the three scripts onto GIT, but unfortunately it
has not as yet happened.

If you, or anyone else reading this, would be willing to volunteer to put
the scripts into GIT, I would be thrilled.

To answer your other question, as this isn't officially supported by
Canonical (although I wish that Canonical would take charge and implement
proper encryption), no one outside a couple of users have vetted the
scripts. You can see some discussion on the main thread
<https://ubuntuforums.org/showthread.php?t=2399092>. I always welcome any
assistance.

Regards

Paddy

On Tue, 20 Nov 2018 at 15:32, Robie Basak <robie.basak at ubuntu.com> wrote:

> Hi,
>
> I just came across
>
> https://help.ubuntu.com/community/ManualFullSystemEncryption/DetailedProcessPrepareInstall
> via
> https://community.ubuntu.com/t/can-we-get-real-full-disk-encryption/8802
>
> I'm concerned that this page instructs users to download and run a
> script from Dropbox. It looks well intended, but I think it presents a
> number of problems:
>
> 1) The code hasn't been vetted by a developer trusted by the Ubuntu
> project, unlike all code shipped by Ubuntu itself.
>
> 2) Has anybody at all vetted that the code is safe for users to run?
>
> 3) A compromise of the unknown Dropbox user's account could lead to
> a compromise of any user's system who follows these instructions after
> that compromise.
>
> 4) More generally, the code could change at any time, out of control of
> the Ubuntu project, without any audit trail, and immediately invalidate
> any previous audit made by community members.
>
> 5) It normalises the idea that it is OK for users to download and run
> arbitrary scripts from the Internet.
>
> It is effectively a third party alternate installer. I welcome efforts
> like these, but I don't think they should be presented as "instructions"
> or "documentation" without making it clear that the user is relying on
> the trust of an entire third party program. Arguably this is what
> "Community wiki" implies, but normally I'd expect this to compromise
> documentation, not entire third party programs.
>
> I couldn't find any existing policy on the wiki documentation containing
> guidance on this kind of thing. What is and isn't acceptable for the
> community wiki to instruct users to do?
>
> Thanks,
>
> Robie
>

More information about the ubuntu-doc mailing list