ubuntu-appstore-developers team mailing list archive

[Ted Gould <ted@xxxxxxxxxx>]

On Thu, 2013-07-25 at 09:49 -0500, Jamie Strandboge wrote:

> On 07/25/2013 09:33 AM, Ted Gould wrote:
> > On Thu, 2013-07-25 at 16:04 +0200, Daniel Holbach wrote:
> >> I got the feeling that it might make sense to think about this and maybe
> >> make the conscious decision to not support this. There are a few reasons
> >> which might make this attractive:
> >>
> >>  - security issues regarding X mitigation
> > 
> > It seems like the only security issues are those that would say we shouldn't
> > ship Unity 7 at all :-)  So supporting Click there doesn't add or subtract.
> > 
> 
> I disagree. Click packages by themselves could be supported, sure. It is the
> unreviewed code in the appstore that is the problem. I think it would be unwise
> to let desktop users install arbitrary code on their systems via click packages
> from the appstore without display server mediation.


I think you have more faith in the current review system than I do ;-)

But if we truly think there is something dangerous here, we should
probably be proactive in stopping it.  I'm sure that if it will work,
there'll be an OMG! Ubuntu! story on how to set it up.

Perhaps unsetting the DISPLAY variable in Click package execution?  A
nasty warning if you try to install a click package and have xorg-server
installed?

Ted

Attachment: signature.asc
Description: This is a digitally signed message part