ubuntu-phone team mailing list archive

[Michael Zanetti <michael.zanetti@xxxxxxxxxxxxx>]

On Tuesday 15 October 2013 10:06:36 Sergio Schvezov wrote:
> On Tue, Oct 15, 2013 at 9:16 AM, Michael Zanetti <
> 
> michael.zanetti@xxxxxxxxxxxxx> wrote:
> > Hi,
> > 
> > On Monday 14 October 2013 18:09:14 David Planella wrote:
> > > In addition to all what Dave is saying, if you want to know more about
> > 
> > this
> > 
> > > app, including links to the source code:
> > > 
> > > http://notyetthere.org/?p=351
> > 
> > Actually I share Jeremy's concerns. And I think neither of Daniel's and
> > David's or Dave's comments are really addressing this issue:
> > 
> > * Dave: yes, the app passed the security checks. But given that the
> > security
> > checks only deal with the binary blob it is debatable how useful those
> > checks
> > are. IMHO they aren't useful at all in regard to security. I could sneak
> > in
> > code that starts sending all your logins to myself and no one would notice
> > it,
> > I bet.
> > 
> > * David: There are no relations to the source code and the uploaded binary
> > package. In this case all I can do is to give you my word that I won't do
> > any
> > bad things. But in theory I could publish some source code and build the
> > binary out of some different code. You wouldn't notice for sure. Btw.
> > because
> > of the missing trusted relationship between the uploaded binary and source
> > packages I didn't bother to upload the source package to the store.
> > 
> > * Daniel: Yes, it is confined in AppArmor but note that it has the
> > networking
> > capability (mainly because it's enabled by default and I forgot to remove
> > it -
> > will be gone in the next update). So even though this app might not be
> > able to
> > steal your address book, I could still send out your Ubuntu SSO
> > credentials
> > over the network once you set it up.
> > 
> > 
> > Jeremey, one thing you can do, is to install the app called "Permy". It
> > shows
> > you who made the app and which AppArmor permissions it has. Unfortunately
> > that's all we can do so far. There is no way to be sure what's in the
> > app's
> > binary right now.
> 
> I am guessing that this is the biggest reason why apps were supposed to be
> qml only at the beginning. Or the thought that all of them should be qml
> only would avoid this issue. We are on a different path these days from the
> looks of it.

Oh well, I could have told you earlier that QML only won't work out :) 
Actually a lot of badness came in with that guideline (e.g. Music app will 
probably need to be rewritten to some large extend at some point), but that's 
a whole different discussion.

> 
> > That said, unfortunately this is how all the other mobile app stores work
> > too,
> > and basically how 95% of all software on Windows and Mac is distributed. I
> > don't want to use that as an excuse but thing is, this is what the market
> > demands right now. App Developers don't want to publish their code and the
> > vast majority of users doesn't seem to care about anything security at all
> > anyways. It's a sad situation for people like us who actually DO care
> > about
> > security.
> > 
> > However, I haven't given up hope that at some point someone will set up
> > some
> > App Repository for Ubuntu Touch which requires developers to upload a
> > source
> > package, the binary will be built on the trusted server and the exact same
> > source archive published along with the binary. But when this happens, I'm
> > sure it will only hold the geeky FOSS apps. For me personally that would
> > be
> > enough as I tend to write all the apps I use myself anyways :P Would be
> > awesome to have a way to publish them in a trusted way to my "customers".
> 
> Today all the com.ubuntu.[appnames] are built on jenkins, you can freely
> check the code. I don't think it would be too hard to circle around the
> upload new source -> get new click. I do want to avoid rebuilding debian
> package builds though.

If we could enable such a thing for 3rd party app developers it'd be great. 
Basically I would like to upload a signed source tgz containing some sort of 
recipe and that one gets either automatically published or I get an email if 
the build failed. 

That would make me feel way more comfortable installing other peoples apps.

Cheers,
Michael