Re: [Ayatana] Possible security risk with update-manager

Op dinsdag 15-12-2009 om 10:03 uur [tijdzone +], schreef Alan Pope: > 1) I'm in the middle of work and don't want firefox to become unstable > as it does after an update BTW: Firefox becoming unstable after an update is something that the NixOS linux distro solved years ago... ;) -- Jan C

Re: [Ayatana] Possible security risk with update-manager

On Tuesday 15,December,2009 10:58 PM, mac_v wrote: >[...] > With policykit we can set up the admin account to be granted access to > admin privileges without password-prompts [ex:mounting internal > drives] , similar can probably be done for updates. > > The present policy of asking for password i

Re: [Ayatana] Possible security risk with update-manager

On Tue, 2009-12-15 at 08:53 -0500, Scott Kitterman wrote: > On Tue, 15 Dec 2009 07:31:37 -0500 "Scott E. Armitage" > wrote: > >I don't think that mac_v is proposing /automated/ updates, so much as he is > >proposing that the current update scheme should not require the > >administrator's password

Re: [Ayatana] Possible security risk with update-manager

First, don't get me wrong -- I do not think allowing updates without checking the administrator password is a good idea; I just wanted to make sure we were all on the same page about it. Second, the difference is that automated updates would happen no matter what, whereas all an administrator woul

Re: [Ayatana] Possible security risk with update-manager

On Tue, 15 Dec 2009 07:31:37 -0500 "Scott E. Armitage" wrote: >I don't think that mac_v is proposing /automated/ updates, so much as he is >proposing that the current update scheme should not require the >administrator's password. The administrator would still be notified of new >updates as they

Re: [Ayatana] Possible security risk with update-manager

On Tue, 2009-12-15 at 07:58 -0200, Paulo J. S. Silva wrote: > > Yes, but that's true for any window where the user is using the default > > theme. It has nothing particularly to do with Update Manager. > > There is something *very* specific to update-manager. It is the only > application that asks

Re: [Ayatana] Possible security risk with update-manager

On Tue, 15 Dec 2009 11:26:30 +0100 "Fabian A. Scherschel" wrote: >On Tue, Dec 15, 2009 at 10:44 AM, mac_v wrote: > >> On Tue, 2009-12-15 at 09:15 +, Alan Pope wrote: >> > 2009/12/15 mac_v : >> > > Why ask the admin password? >> > > - Update manager is designed to be shown only for admin acco

Re: [Ayatana] Possible security risk with update-manager

I don't think that mac_v is proposing /automated/ updates, so much as he is proposing that the current update scheme should not require the administrator's password. The administrator would still be notified of new updates as they are now, and they would have to decide when to download and install

Re: [Ayatana] Possible security risk with update-manager

On Tue, 15 Dec 2009 15:14:33 +0530 mac_v wrote: >Why is updating harmful? Aernt the Stable release updates supposed to be >pain-free? > That's an interesting theory. No system update is risk free. They should not be automatically imposed on users unless they have opted into such a scheme. A

Re: [Ayatana] Possible security risk with update-manager

On Tue, 2009-12-15 at 10:03 +, Alan Pope wrote: > 2009/12/15 mac_v : > > If someone other than the user is having access to a user account , > > there are bigger concerns than the guest updating the system. > > > > Sure, but the topic of conversation is update manager, not "local > access is b

[Ayatana] Possible security risk with update-manager

On Tue, Dec 15, 2009 at 10:44 AM, mac_v wrote: > On Tue, 2009-12-15 at 09:15 +, Alan Pope wrote: > > 2009/12/15 mac_v : > > > Why ask the admin password? > > > - Update manager is designed to be shown only for admin accounts and > > > doesnt show up for non-admins. > > > If someone other than

Re: [Ayatana] Possible security risk with update-manager

2009/12/15 mac_v : > If someone other than the user is having access to a user account , > there are bigger concerns than the guest updating the system. > Sure, but the topic of conversation is update manager, not "local access is bad, all bets are off". > The guest[in this case the child] could

Re: [Ayatana] Possible security risk with update-manager

> Yes, but that's true for any window where the user is using the default > theme. It has nothing particularly to do with Update Manager. There is something *very* specific to update-manager. It is the only application that asks my system password in an unpredicted manner. As far as I remember all

Re: [Ayatana] Possible security risk with update-manager

On Tue, 2009-12-15 at 09:15 +, Alan Pope wrote: > 2009/12/15 mac_v : > > Why ask the admin password? > > - Update manager is designed to be shown only for admin accounts and > > doesnt show up for non-admins. > > Indeed. I prefer the OSX way which asks for a user _and_ a password. > This fits

Re: [Ayatana] Possible security risk with update-manager

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Conscious User wrote on 14/12/09 14:50: >... > Matthew, he did say the example was very crude. Showing the status bar > and/or the address bar was a valid solution some years ago. Today, with > Javascript pop-ups, ubiquity of flash applets and rise of

Re: [Ayatana] Possible security risk with update-manager

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paulo J. S. Silva wrote on 14/12/09 15:10: >... > OK, let me get this straight. Are you saying that all pop-up windows > that appear to you in your browser have the window decorations around > it? Yes. > Could you please visit: > > http://www.popup-

Re: [Ayatana] Possible security risk with update-manager

2009/12/15 mac_v : > Why ask the admin password? > - Update manager is designed to be shown only for admin accounts and > doesnt show up for non-admins. Indeed. I prefer the OSX way which asks for a user _and_ a password. This fits my use case which has my daughter using the Mac to surf the web. I

Re: [Ayatana] Possible security risk with update-manager

On Mon, 2009-12-14 at 13:05 +, Matthew Paul Thomas wrote: > As I wrote in : "For several years Web > browsers have insisted on showing the address bar, or the status bar, or > both, in any popup window as a way of distinguishing it from native > application wi

Re: [Ayatana] Possible security risk with update-manager

> So even though not having the pop-up behavior in administrative tasks > would help us explain to user how to behave when they see weird > pop-ups in their computers. > Argh! What a bad (and convoluted) sentence. I meant: So even though there are scenarios where disabling the pop-up/under behavi

Re: [Ayatana] Possible security risk with update-manager

> As I wrote in : "For several years Web > browsers have insisted on showing the address bar, or the status bar, or > both, in any popup window as a way of distinguishing it from native > application windows. Can you provide a demo which avoids this security > meas

Re: [Ayatana] Possible security risk with update-manager

> As I wrote in : "For several years > Web browsers have insisted on showing the address bar, or the status > bar, or both, in any popup window as a way of distinguishing it from > native application windows. Can you provide a demo which avoids this > security meas

Re: [Ayatana] Possible security risk with update-manager

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paulo J. S. Silva wrote on 18/11/09 20:58: >... > There is a huge "Won't fix" bug concerning the pop-up/under behavior > of update manager since 9.04: > > https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/332945 > > Recently one of the peo

[Ayatana] Possible security risk with update-manager

Hello, I am coming back to an old subject, but with new information. There is a huge "Won't fix" bug concerning the pop-up/under behavior of update manager since 9.04: https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/332945 Recently one of the people that insist to keep the bug al