Our sandboxed apps won't really protect users (was: Re: Darktable Copr)

Fri Sep 11 16:10:56 UTC 2015

Hi,

On Fri, 2015-09-11 at 11:30 -0400, Owen Taylor wrote:
> The thing to realize is that Fedora has no interest in *preventing*
> users from installing arbitrary software on their system. What we
> have
> an interest in is preventing users from being *tricked* into
> installing  such software.

Right. Agreed.

> What xdg-app allows is to make it plausible to greatly *extend* the
> set of software - to allow displaying results that are not built by
> Fedora.
> 
> It can't be a complete wild west - there have to be mechanisms for
> reporting abuse, blacklisting apps, etc - but we can very viably
> allow
> people to download and run applications built by 3rd parties, without
> making every such app downloaded be able to do *absolutely anything
> on
> the system* as is the case now.

Yes, you're right. Populating the software center is a clear goal that
sandboxed xdg-apps allow us to accomplish. So I'm wrong, and they are
worth pursuing, regardless of whether they protect against malicious
apps that are distributed outside the software center.

> For applications built in Fedora - moving them to xdg-apps provides
> incremental benefits, such as having a security vulnerability in an
> application be localized to that applications - so there's an
> incentive
> to work in this direction. 
> 
> But there's no point in just blanking kicking out all existing
> applications in Fedora out of Software unless they are packaged as
> xdg-
> apps - that doesn't benefit the user.

Yes, I agree, good point.

Well, there is still one problem here: I expect it's actually quite
easy to get malicious software into Fedora, which is a rather huge hole
in this plan. So we do want to make sure that we're incrementally
moving towards having more sandboxed xdg-apps. We might do that by
grandfathering in existing packages, and saying new packages must be
sandboxed, but we don't have to. Eventually the goal should be to
minimize the set of unsandboxed software we distribute to the bare
minimum (probably core apps), but we don't have to achieve that
overnight, or even anytime soon, to get real benefits from the
technology.

> We might want to eliminate the behavior where, currently, you can
> click on an RPM link and the RPM is opened by GNOME Software. Or at
> least the ability to override the default rejection of unsigned
> packages by entering an admin password.
> 
> But that doesn't mean that we're preventing people from installing
> such RPMS and taking the control out of the system out of the people
> using the system.

We should think harder about how to protect against malicious apps
distributed outside the software center. If Software doesn't allow
installing RPMs anymore, the bad guys are just going to trick users
into using the terminal to do so. It doesn't help that non-malicious
developers instruct users to install their apps using the terminal....

Michael