[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-desktop-list
Subject:    Re: Proposal: Fedora Workstation ships with enabled trusted flatpak runtime remotes
From:       Kamil Paral <kparal () redhat ! com>
Date:       2016-11-11 13:35:40
Message-ID: 1439767347.929148.1478871340419.JavaMail.zimbra () redhat ! com
[Download RAW message or body]

> > Can you elaborate? What security issues?
> > Could installing runtime X subvert runtime Y used by other apps, e.g.
> > by claiming that X is an update for Y? In that case I'd expect that
> > GPG keys have to match, or something like that.
> 
> Yeah, the app requires the runtime X which is not installed and adds a
> remote to install it, but the remote could also contain a malicious
> version of the runtime Y which is already installed and used by other
> apps, and the malicious version overrides it as an update. Then other
> apps get infected.
> I think all that matters are runtime ID and version, AFAIK GPG only
> checks if the runtime comes from the remote it claims it does.
> Yes, there could be a safety catch that would prevent updating the
> runtime from a different remote than the original one.

I think this is quite essential to have. It would allow automatic runtime \
installation without any questions asked, which is something I expected (or at least \
hoped for) from flatpack. I want to download a file and double click on it. I don't \
want to decide whether remote X needed for runtime Y is trustworthy or not. The user \
should not even know what a runtime is, it should be completely transparent :)

I'm no security expert but in my naive world it shouldn't be too hard to make sure \
that remotes can't supply updates for runtimes from other remotes, using digital \
signatures. _______________________________________________
desktop mailing list -- desktop@lists.fedoraproject.org
To unsubscribe send an email to desktop-leave@lists.fedoraproject.org


[prev in list] [next in list] [prev in thread] [next in thread]