launchpad-dev team mailing list archive

[Martin Pool <mbp@xxxxxxxxxxxxx>]

On 6 October 2010 12:08, Robert Collins <robert.collins@xxxxxxxxxxxxx> wrote:
> Ok, so what *should* we aim at?

Not doing anything that would get in the way of Ubuntu supporting TCB
(an ill-defined term in this context), or make it overly hard to
support it in the future.

istm that writing our own desktop agent will just increase the amount
of code that needs to be updated in this context.

Suppose today you for some reason needed to run some code that you
thought possibly would be hostile.  I would not run it in the same X
session or user account as my real work.  I would probably run it in a
vm; ideally with some external firewalling of its network
connectivity.  Launchpad tokens support that tolerably well: give a
new token to that vm.  Perhaps create a new bot account specifically
for it.  The problems would be mostly:

 * the permissions are very coarse: if you can get by giving it only
anonymous access that's great; but if it can write under your account
it can cause a fair bit of damage
 * the ui to revoke tokens is not great.

One good thing in lp is that it does tend to send mail to people which
gives you an audit trail of kinds.

-- 
Martin