← Back to team overview

unity-design team mailing list archive

  1. unity-design team
  2. Mailing list archive
  3. Message #00916

Re: Possible security risk with update-manager

  Thread PreviousDate PreviousThread Next 
On Tue, 15 Dec 2009 11:26:30 +0100 "Fabian A. Scherschel" 
<fabsh@xxxxxxxxxx> wrote:
>On Tue, Dec 15, 2009 at 10:44 AM, mac_v <drkvi-a@xxxxxxxxx> wrote:
>
>> On Tue, 2009-12-15 at 09:15 +0000, Alan Pope wrote:
>> > 2009/12/15 mac_v <drkvi-a@xxxxxxxxx>:
>> > > Why ask the admin password?
>> > > - Update manager is designed to be shown only for admin accounts and
>> > > doesnt show up for non-admins.
>> >
>> If someone other than the user is having access to a user account ,
>> there are bigger concerns than the guest updating the system.
>>
>> The guest[in this case the child] could delete important work files and
>> do more damage.
>> Why is updating harmful? Aernt the Stable release updates supposed to be
>> pain-free?
>>
>
>Hi, all!
>
>Wow, this is similar to the recent Fedora issue about installing packages
>without a password. I realise it all sounds logical theoretically when you
>put it like that but in the real world I can think of a lot of reasons 
where
>I would like to have something like the update of my system be locked down 
a
>bit. Think schools, leaving your computer unlocked for a second ie. I
>realise there are a lot of arguments like "well, you shouldn't do that
>anyway" but in the real world it doesn't work like that.
>
>Saying nothing in the trusted repos should break stuff in an update is all
>well and good, but I think we all know the world isn't perfect. Personally,
>I'd like to keep this control myself and not relinquish it to Ubuntu in
>general for a reason such as "oh, that password box bothers me".
>
>Security is all about shades of gray and discussions like this really worry
>me. At least implement a policy kit settings wizard or something for stuff
>like this that lets the user easily make this choice before just ripping 
out
>another protective barrier, as insignificant and inconvenient as it might
>seem.
>
>Just my five cents, feel free to prove me wrong. :)
>
It's not just similar, it's the same insanity.

I do trust the Ubuntu archive for all my systems and those used by my 
family.  That is completely orthogonal to the question of being comfortable 
with system installation of every package in the Ubuntu archive.  There are 
packages that I know will break systems in the configurations we use.

Scott K

References

  Thread PreviousDate PreviousThread Next