[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-desktop-list
Subject: Re: Proposal: Fedora Workstation ships with enabled trusted flatpak runtime remotes
From: Alexander Larsson <alexl () redhat ! com>
Date: 2016-11-28 8:20:47
Message-ID: 1480321247.16194.88.camel () redhat ! com
[Download RAW message or body]
On tor, 2016-11-17 at 11:38 +0100, Kalev Lember wrote:
> On 11/17/2016 10:48 AM, Alexander Larsson wrote:
> >
> > The problem is when the runtime is *not* installed. The untrusted
> > remote could claim to have an "org.gnome.Platform" runtime, which
> > will
> > then be installed, and at this point you're affecting another app.
>
> Is it possible to use cryptography here to make this a bit more safe
> and
> easier to use? Instead of just matching "org.gnome.Platform" name,
> apps
> could maybe also require that "org.gnome.Platform" is signed with a
> certain key? And then we could do automatic install if we can find a
> runtime with matching signature? Also, maybe different
> "org.gnome.Platform" runtimes signed with different keys should be
> parallel installable?
We could pre-install a configuration for an individual runtime like
org.gnome.Platform, which includes a GPG key, and then that could be
used automatically. This essentially happens now I think. At least
there was a discussion about including preconfigured remotes for
fedora.
However, assuming this is a runtime we know nothing about, and some app
A depends on it. What prohibits app B to say it depends on that runtime
name, but supplying a different url for it *and* a different GPG key.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl@redhat.com alexander.larsson@gmail.com
He's a jaded bohemian librarian looking for a cure to the poison coursing
through his veins. She's a disco-crazy cat-loving femme fatale from out
of town. They fight crime!
_______________________________________________
desktop mailing list -- desktop@lists.fedoraproject.org
To unsubscribe send an email to desktop-leave@lists.fedoraproject.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic