zeroinstall-injector

Thomas Leonard talex5 at gmail.com
Tue Jan 9 20:42:36 GMT 2007 

On Tue, 09 Jan 2007 21:09:11 +0100, Reinhard Tartler wrote:

> "Thomas Leonard" <talex5 at gmail.com> writes:
> 
>> I uploaded a package for Zero Install back in Oct 2006:
>>
>> http://revu.tauware.de/details.py?upid=3885
>>
>> I got a comment on Dec 20th to update the version number, which I've done.
>>
>> Do I need to tell someone about this (e.g. write to this list), or do
>> reviewers get notified automatically? How long does the process normally
>> take?
> 
> Apart from the package quality (which I'd consider okay), I had a look
> what 0install actually does. It seems to me that 0install is similar to
> autopackage, a project I have strong reservations with. I fear that this
> tool has to potential to badly break an user account.

I think you'll find the security model is rather different in Zero Install.

In particular, it should never "break" a user account, since it only
ever writes to the directories ~/.config/0install.net
and ~/.cache/0install.net (which I presume Ubuntu isn't using for anything
else ;-).

> Furthermore, I have some security concerns (who validates/authorizes a
> signature from one upstream).

The user installing the software, assisted by a "hints" database of known
keys. While you can try to protect users from installing malware, at the
end of the day it *is* their computer, and they have to make the final
judgement.

Note that, unlike dpkg, Zero Install doesn't run any scripts as root, or
copy files into /usr/bin, etc. So, from a security perspective you should
compare a user installing with Zero Install vs installing to $HOME without
it.

> What happens, if a library is pulled via 0install, and later installed
> via apt-get?

APT will place one copy in /usr/lib, which will be used by programs
installed by APT.

Zero Install will place one (possibly identical) copy in
~/.cache/0install.net, which will be used by programs run through Zero
Install.

Having two copies may be inefficient, but nothing should break.

> What do the others think? Should we have this in ubuntu?

Please let me know if you have any other concerns.


-- 
Dr Thomas Leonard		http://rox.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1

More information about the Ubuntu-motu mailing list