Active Topics

 


Reply
Thread Tools
PinCushionQueen's Avatar
Posts: 538 | Thanked: 168 times | Joined on Dec 2007 @ Seattle
#11
Originally Posted by theox26 View Post
What jussik is referring to is that they can add whatever they want to their repository and you are none the wiser of it. So while they don't have a full root access, they can put whatever they want in their repo and call it whatever they want.

Also, anyone can add a repo to gronmayer's site, so you should probably research before installing them. While there is a small chance of someone doing it, they could host a malicious program and name it some updated version of a file everyone wants or some new game people are asking for.

When you allow someone access to your system, you should always be sure you can trust them. It's like letting someone borrow your car, you don't give it to just anyone.

Also, you are right, they don't get all your personal info just by adding their repo, they would have to inject a malicious file first, which they could feasibly do.

Hope that helps clear things up.
Ok, yeah - that's been my understanding as well - thanks for confirming . But isn't that the case with any and every piece of software out there? Windows, Linux, Mac or even Palm software shouldn't be downloaded unless you trust the source or at the very least have a good backup - because it could jack up you device.
__________________
When you wish upon a star, your dreams really can come true... Unless it's an asteroid hurtling towards earth that will destroy all life.
 
Posts: 39 | Thanked: 12 times | Joined on Dec 2007
#12
Originally Posted by PinCushionQueen View Post
Just curious, how do you come up with the repos listed in the first post as "Official" compared to the gronmayer repos? They are also listed at the gronmayer site. Or are you just saying that the ones listed are officially endorsed by Maemo?

Maemo Contrib is exactly the same as Maemo Extras at gronmayer - with the exception of the url listed. If you check out the contents and dates and sizes they are identical.

I've been using the gronmayer repos but it is nice to see some mirrors/alternatives offered.
When I say official, I mean repositories hosted on the maemo.org site nothing more.

In response to geneven, when I said no one recommend adding all the reps listed on gronmayer site, I was only refering to the first few posts of this thread. Also, I consider the info for maemo tablet newbies.. and I recommend folks first try and find out what stuff is in a repository not hosted on maemo.org before adding it.. but shouldnt really matter, as you can always reflash and start over... use to this thanks to windows

Last edited by futures; 2008-01-06 at 03:42.
 
Posts: 139 | Thanked: 24 times | Joined on Sep 2005
#13
Originally Posted by PinCushionQueen View Post
Ok, yeah - that's been my understanding as well - thanks for confirming . But isn't that the case with any and every piece of software out there? Windows, Linux, Mac or even Palm software shouldn't be downloaded unless you trust the source or at the very least have a good backup - because it could jack up you device.
There is a difference here -- adding a repository to the list means trusting the source not only this one time, but trusting it all the time in the future too... Basically the repository model can be easier and safer than the Windows/Mac/Palm model, but only if users only accept repositories they trust (implicitly this means that repo upload access is strictly restricted to trusted developers only). I'm not saying the maemo repos are a model example of this, but this is what we should strive for: A small number of repositories with clear "security levels" so users can choose the level of risk they want -- with 101 repositories this is not really possible.

Here is an example of the threat I was talking about btw:
User has repositories Good and Evil enabled. He installs "AwesomeProgram 1.0.0" for repo Good. Later Application manager tells user there is an upgrade available (1.0.1) and he of course installs it -- not realising that the new version actually comes from Evil and contains a keylogger and send his home dir all over the internet.

If you are diligent you can notice that something is wrong before installing the upgrade, but it is difficult... It's a lot easier to mitigate the risk by only enabling the repositories you trust.

Last edited by jussik; 2008-01-06 at 10:58.
 

The Following User Says Thank You to jussik For This Useful Post:
free's Avatar
Posts: 739 | Thanked: 159 times | Joined on Sep 2007 @ Germany - Munich
#14
In real word, repositories are signed by their author.
Any packages that has been injected by somebody else will not have the correct authentication. Example, if I'm able to add a package to repository.maemo.org and maemo.org has a GPG problem, nobody will ever see it..

With this signature, you have then to trust the author. You know that packages you install from his repo are really from him, because he's the only one having the private key.

If the author is able to get his key signed by somebody you trust (maemo.org) , it goes a bit further in the chain of trust.

Simply adding the repo, without installating anything doesn't create ANY risk at all.
Also, one package can not overwrite files of another package. You then have to look at which packages get updated if you don't trust the repository author.
 
Posts: 139 | Thanked: 24 times | Joined on Sep 2005
#15
I agree with you 100%, except for this:
Originally Posted by free View Post
Simply adding the repo, without installating anything doesn't create ANY risk at all.
In theory you're correct, but in reality it just goes like this: "Hey, a new version of MaemoMapper, cool! [click-click]". This behaviour is not a problem at all if the repositories are trusted, but with a rogue repo in the list it becomes a disaster.
 
Posts: 39 | Thanked: 12 times | Joined on Dec 2007
#16
Originally Posted by jussik View Post
I agree with you 100%, except for this:

In theory you're correct, but in reality it just goes like this: "Hey, a new version of MaemoMapper, cool! [click-click]". This behaviour is not a problem at all if the repositories are trusted, but with a rogue repo in the list it becomes a disaster.
I'm with you on this.. it goes back to my original suggestion that its safest to check whats on a repository before adding it.

But if you like fooling around with stuff (probably the case with most tablet owners).. then be prepared to reflash (restore) a few times

I'm thankful for those making the effort to develop for the platform. As a begger (non programmer) .. I cant be too choosy.. at the moment nothing rivals this platform.. poo on palm for letting another market slip.. Palm could of owned the hand held media player, messenging.. and browsing markets.. but they simply have no vision.. and now they have no platform lol.. As a long time Palm owner (original Palm Pilot 5000 to Tungsten T3).. I was extremely dissappointed that Palm wouldnt even cough the resources to develop basics such as their own media player, web browser, a decent image viewer.

If they cant support their own OS development efforts with basic but popular apps.. they should just stick to hardware.. and make something open for other platforms..

Now I hope Nokia learns from Palm's missteps.. perhaps make another maemo line targetted to the media player market. likely would be hard for them as they're not really established in the media field like Apple.. What would rock as suggested by others is a Nokia Tablet / Google collaboration and cross marketing..
 
Posts: 833 | Thanked: 124 times | Joined on Nov 2007 @ Based in the USA
#17
After searching, this thread looked about as good as any other to revive -
Could the extremely knowledgeable point to or add to the discusssion of a good thin list of needed repositories please?

I know of gronmayer's site and have seen a list from bun for his "7 special" (one for each day of the week?). And I thought I ran across where bun had a deb, but I couldn't find it again.

Anyways, any concise lists, for Diablo, and an easy way to add them?

bun's list
http://www.internettablettalk.com/fo...6&postcount=11

tia
__________________
N810, iGo bt kb, Diablo, 10Gb storage onboard instead of a Thinkpad
OTG w/ unlimited storage!!
Put a penguin in your pocket!!
PLEASE use the Wiki
 
GeneralAntilles's Avatar
Posts: 5,478 | Thanked: 5,222 times | Joined on Jan 2006 @ St. Petersburg, FL
#18
Originally Posted by gemniii42 View Post
Could the extremely knowledgeable point to or add to the discusssion of a good thin list of needed repositories please?
Yeah, one, Extras.
 

The Following User Says Thank You to GeneralAntilles For This Useful Post:
Posts: 833 | Thanked: 124 times | Joined on Nov 2007 @ Based in the USA
#19
That's pretty concise.
If it's all in the bun 7, why gronymayer's list of 63?
__________________
N810, iGo bt kb, Diablo, 10Gb storage onboard instead of a Thinkpad
OTG w/ unlimited storage!!
Put a penguin in your pocket!!
PLEASE use the Wiki
 
GeneralAntilles's Avatar
Posts: 5,478 | Thanked: 5,222 times | Joined on Jan 2006 @ St. Petersburg, FL
#20
Originally Posted by gemniii42 View Post
That's pretty concise.
If it's all in the bun 7, why gronymayer's list of 63?
Because gronmayer doesn't let you delete repositories so it's filled with legacy and crap repositories that have a high probability of breaking your device.

More seriously, it was created at a time when Extras isn't what it is today. Back then, due to issues with the Extras process and generally poor behavior of maintainers, lots of developers went and created their own repositories to distribute their software straight away. Today, that's not the case. Most everything useful or interesting goes to Extras (if not sooner, then later). By and large, everything you really need is now in Extras. If it isn't, well, either it's not ready, the maintainer needs to be whipped, or you really don't want to install it.

There are, obviously, some outliers (the Collabora repo might be a good example), but as a general recommendation, outliers don't factor in, so I'll leave it up to individual users whether they want to add specific 3rd party repositories to their application catalogs on a case-by-case basis.
 

The Following User Says Thank You to GeneralAntilles For This Useful Post:
Reply


 
Forum Jump


All times are GMT. The time now is 13:25.