Notices


Reply
Thread Tools
Posts: 1,341 | Thanked: 708 times | Joined on Feb 2010
#41
Originally Posted by Matan View Post
There are many bugs which will not be found by the extras "QA" process, or by Nokia's QA process for OVI. Certainly, intentional bad behaviour can easily slip through. Promising security for extras is akin to selling snake oil.

For example. The program can start sending lots of SMS only two weeks after installation.
That is one of the many reasons why DEB packages should be required to have embedded GPG signature of a packager, like RPM-packages. If the packager is the same as the developer, even better.
http://manpages.ubuntu.com/manpages/...ebsigs.1p.html
 

The Following User Says Thank You to zimon For This Useful Post:
Posts: 540 | Thanked: 288 times | Joined on Sep 2009
#42
Originally Posted by zimon View Post
That is one of the many reasons why DEB packages should be required to have embedded GPG signature of a packager
Everyone interested in this discussion should see the SELinux thread and continue there.

For those not interested in reading that thread "just because" I point this question (replies to the SELinux thread please): How do you verify that the signature is actually of a real person that is actually the packager (and how to make this easy for the end-user?)
 

The Following User Says Thank You to rambo For This Useful Post:
Jaffa's Avatar
Posts: 2,535 | Thanked: 6,681 times | Joined on Mar 2008 @ UK
#43
Originally Posted by zimon View Post
That is one of the many reasons why DEB packages should be required to have embedded GPG signature of a packager, like RPM-packages. If the packager is the same as the developer, even better.
With Extras we know who uploaded it (not to the extent of a GPG signature, but at least to the extent of a username/password or SSH key) through the user of authenticated Extras Upload Assistant or scp/dput with pre-registered SSH key.

Not in the same league, of course, but almost certainly Good Enough (for now).
__________________
Andrew Flegg -- mailto:andrew@bleb.org | http://www.bleb.org
 

The Following User Says Thank You to Jaffa For This Useful Post:
Posts: 1,341 | Thanked: 708 times | Joined on Feb 2010
#44
Originally Posted by Jaffa View Post
With Extras we know who uploaded it (not to the extent of a GPG signature, but at least to the extent of a username/password or SSH key) through the user of authenticated Extras Upload Assistant or scp/dput with pre-registered SSH key.

Not in the same league, of course, but almost certainly Good Enough (for now).
No it is not good enough, because people install packages also just by wget'ing them and installing with dpkg -i.
MITM-attack for example on open WLAN-accesspoints is really easy. Also many kind of redirections and tricks can be made so although the user thinks he is getting something from some netsite with Firefox/Fennec/microB/wget/lynx, (s)he instead gets the file attacker has changed.

Also, if some package has been installed now from a repository, and it has checked with Release.gpg that it is in fact that very same package what repository maintainers have checked for.

If there is a compromise in the system and you would like to know what files have been changed, in RPM-based system you can just check authenticity and integrity of any installed package with "rpm -V", because there still is the package's GPG-signature available locally, and if you want to be real sure, you check the filesystem externally using 100% trusted non tampered tools.

With DEB-system, once some package is updated, it is much more difficult to check that files from the package you have installed are non-tampered. The Release.gpg file supports only the recent version of that package in the repository.

IN RPM-based system, lets assume you think wget has been tampered when your friend's friend had a 5 minute time root access when you were visiting toilet. Let's assume, in the repository wget has a new version already. But you want to know if wget was tampered on your local system.
You just run command: rpm -V wget
It will check wget-package against all the md5sums and against the GPG-signature which was embedded in the package when you installed it.
 
Posts: 9 | Thanked: 0 times | Joined on Nov 2007
#45
application in development looks more for me than ovi..that is the temptation to try out any new apps

just wondering when ovi store will have many apps for n900
 
Posts: 436 | Thanked: 298 times | Joined on Jan 2010 @ England
#46
I got my N900 end of jan,. I am a linux noob .... started out using just the extras testing repo as from what i can read the worst that can happen in testing is an app could cause issues but uninstalling the app will sort it out.
then i started looking into devel repo and installing stuff from there .... i know that an app may mess my phone up totally but by reflashing i can sort it out.
I am now starting to (tentativley) use xterminal to change stuff (added the reboot button to power key menu)

All scary stuff but you gotta live on the wild side eh!
__________________
SEE THE WIKI.MAEMO ALARMED PAGE AND FIND NEW, COOL COMMANDS AND IF YOU HAVE ANY COOL/AWESOME/USEFUL COMMANDS YOURSELF PLEASE ADD THEM. http://wiki.maemo.org/ALARMED_Commands_List
If you dont have a wiki.maemo account and cant be bothered to create one you can inbox me your commands and I will add them for you.
 
Posts: 1,427 | Thanked: 2,077 times | Joined on Aug 2009 @ Sydney
#47
From Day 1, I installed extras-devel apps without any hesitation whatsoever.
Come on. What's the worse it can do? I'll reflash if it caused mine to not boot up properly.

I reckon I've installed about 100-200 extras-devel apps over the past few months.
Never had a single issue with any of them causing any global issues.
App itself might have been dodgy but if so, just uninstall it. No harm done.

Yes, people need to watch their rootfs space.
But Maemo5 OS should have some automatic monitoring/warning. No idea why it doesn't.

I want 0day apps. I want it now. Not after days/weeks/months. So I thank for extras-devel repo. =)
 
Reply

Tags
dangerous, devel, testing

Thread Tools

 
Forum Jump


All times are GMT. The time now is 02:58.