launchpad-dev team mailing list archive
-
launchpad-dev team
-
Mailing list archive
-
Message #03759
Re: Quickly and Launchpad
On 12 July 2010 12:53, Leonard Richardson
<leonard.richardson@xxxxxxxxxxxxx> wrote:
> It's no secret that I think the desktop credential management app,
> although superior from a UI standpoint, is insecure. Up to this point
> the counter-argument has prevailed that malicious client code on an
> Ubuntu desktop is rare, so we shouldn't worry about it.
That is true but to me the main point is that if there is malicious
code running within your desktop machine, you have bigger problems
than your Launchpad account.
> I think this
> counter-argument has an additional premise that has just been revealed:
> malicious client code on an Ubuntu desktop is rare, *and if it does
> exist, the worst it can do is screw up your own system/Launchpad
> account*. With GRANT_PERMISSIONS plus the ability to upload GPG keys,
> once malicious code gets on an Ubuntu system it can easily infect
> thousands of other systems.
Can you unpack the logic there? Do you mean that if malicious code
gets onto an Ubuntu system of a user who can write to the main archive
or a popular PPA, it can propagate to thousands of other machines.
That is true, but orthogonal to whether there is an API to manipulate
credentials.
--
Martin
Follow ups
References