ubuntu-phone team mailing list archive

[Sergio Schvezov <sergio.schvezov@xxxxxxxxxxxxx>]

On Tue, Aug 13, 2013 at 9:33 AM, Michael Zanetti <
michael.zanetti@xxxxxxxxxxxxx> wrote:

> Hi,
>
> I've just been watching this demo [1] on how to publish click packages.
> Looks
> very promising! However, one question that comes up here is at the
> uploading
> step (3:13 in the video):
>
> The website allows to upload a binary package and a source package.
> However, I
> can't see any connection between those two. How can I be sure that the
> binary
> click package indeed contains an unmodified version of the uploaded source
> package? From what I can see here I could easily publish some source code
> and
> then build a malicious package containing some additional bad code.
>

You will be confined by apparmor here and very limited in the bad things
you can do.


> Or will the uploaded binary click package be discarded and a new one built
> from the source in case the source is uploaded?
>

There is no debian/rules to say how to build or a debian/control to tell
you what else you need for building, so, although not authoritative, my
answer would be no. The whole system seems to be friendly for pure
interpreted/declarative code or closed source.

For what it's worth, I am dealing with an out of band click package builder
for the binary dependent packages we produce (i.e.; gallery-app,
camera-app, filemanager-app, ...), the equivalents for the how to build
would be feeded in and the what you need would be solved by having a base
chroot with only the things that are dev packages for the meta ubuntu-touch.

Building aside, and not even _store_ related, we also have and also take
into account the testing of those as there are no dependencies (I'm more
advanced on a temp solution for provisioning devices with what they need in
a Ubuntu Image Based Upgrade world but the final solution should be an
autopilot driver fully controlled from a host.

Cheers (or not ;-) )
Sergio