Our sandboxed apps won't really protect users (was: Re: Darktable Copr)

Fri Sep 11 05:41:08 UTC 2015

On Wed, 2015-09-09 at 20:56 -0500, Pete Travis wrote:
> As a follower of the discussion, and packager of an application that
> might
> fall under these requirements, your phrasing here makes me nervous.  
> I'm
> not reading "We will develop infrastructure for distributing xdg
> -apps", I'm
> reading "We will require infrastructure for development and
> distribution
> xdg-apps be developed".  Packages not represented in Software are
> installed
> by users now, and these packages will continue to be installed if
> Software
> deigns to only expose xdg-apps.
> 
> I'm not sold.  I don't believe that the majority of users consume
> Fedora
> exactly as intended by this kind of strategy, and I am dubious that
> the
> project would be better off if they did.  The strength of Fedora is
> in both
> polish and extensibility.  Extremes in either direction weaken the
> appeal.
> Look at devassist, for example - in my opinion, the one included
> 'application' serving the developer workstation use case.  There's
> talk of
> dumping it for lack of polish, and talk of deployment methodology
> mandates....
> 
> Either I'm totally lost, OR the GNOME spin should rebrand as a
> desktop
> computing appliance with a wholly curated experience, and the project
> should promote some other implementation as a versatile desktop Linux
> distribution.

Hi,

You've posed a hard question that we've been ignoring because it's
hard.

Your key point is: "Packages not represented in Software are installed
by users now, and these packages will continue to be installed if
Software deigns to only expose xdg-apps."

The compromise solution will probably wind up being that Software only
exposes xdg-apps, like you fear, but I'm going to argue that doesn't go
nearly far enough. You maybe haven't considered that we have a
compelling interest to make sure users can run only sandboxed xdg-apps,
period, so that bad guys can't own users' computers by putting custom
installers and RPMs up for download on their web sites. But we also
want to make sure Fedora remains a general purpose OS that the user has
full control over: we're not respecting the user if we limit what he
can do like an iThing. The goals are contradictory.

If you can do whatever you want, you'll probably install the first non
-sandboxed, non-xdg-app-ified third-party app that you want to use. If
that becomes commonplace, it will totally defeat the purpose of having
application sandboxes: we might as well not bother, because sandboxing
all the non-malicious applications does us zero good if the malicious
applications simply don't use the sandbox. Analogy: Windows and Java
application signing is intended to make it harder to distribute
malware. It's also totally worthless, because it's optional, and nobody
cares whether an application is signed or not, or even understands what
that means. (In fact, it's worse than worthless, it's actively harmful,
since it trains users to ignore security questions.) This is *exactly*
what is going to happen to xdg-app if we allow running things that
aren't xdg-apps. It's also what's going to happen to sandboxed xdg-apps
if we allow running unsandboxed xdg-apps. Even if most apps play nicely
in the sandbox, you're just going to get owned by the ones that don't,
and building the sandbox was a waste of effort.

The best way to solve that problem is to become an iThing, which we
definitely aren't going to do, because that would be disrespectful to
users and just plain BS. But we have to do that, or we're not
protecting users, and that too is disrespectful and BS. So what do we
do? Probably find a compromise between the two extremes, which sounds
to me like exposing only sandboxed xdg-apps in Software, but that's
*really* not enough, because like you say: packages not represented in
Software are installed by users now, and these packages will continue
to be installed if Software deigns to only expose xdg-apps.

Anyway, we need to give you a non-BS answer, and I don't have one,
sorry. Maybe somebody else does.

Michael