On 08/13/2013 08:33 AM, Michael Zanetti wrote: > On Tuesday 13 August 2013 10:01:58 Sergio Schvezov wrote: >> On Tue, Aug 13, 2013 at 9:33 AM, Michael Zanetti < >> >> michael.zane...@canonical.com> wrote: >>> Hi, >>> >>> I've just been watching this demo [1] on how to publish click packages. >>> Looks >>> very promising! However, one question that comes up here is at the >>> uploading >>> step (3:13 in the video): >>> >>> The website allows to upload a binary package and a source package. >>> However, I >>> can't see any connection between those two. How can I be sure that the >>> binary >>> click package indeed contains an unmodified version of the uploaded source >>> package? From what I can see here I could easily publish some source code >>> and >>> then build a malicious package containing some additional bad code. >> >> You will be confined by apparmor here and very limited in the bad things >> you can do. > > I don't agree here. I'm not entirely sure how AppArmor works, but I assume it > would block access to, for instance, my address book. If I still want to use > that app there must be some place where I can grant permissions to an app to > access my address book. This is where I would like to know what the package > actually does with my address book and where I would need to rely on the fact > that the binary package is indeed an *unpatched* version of the uploaded > source package. > Click packages will be confined by AppArmor[1] and there is a permissions model where developers declare what the click package can do[2]. Apps are quite confined by default by design and they are not allowed to access other app's data, among other things. This is to prevent malicious apps from doing harm to the system or obtaining the user's data. Application developers will need to used published APIs to access things like locations, online accounts, the addressbook, etc and these APIs will be supported in the click manifest. Access to data like the address book will be limited and handled via an out of process helper which may also help mediate the access (ie, provide a contextual runtime prompt). That's the good news-- the bad news is that not all of these APIs are implemented today, but they are being worked on. I'll let others comment on their status.
More specifically to your question-- click packages and the app store will support binary only uploads of packages. With this in mind, it isn't particularly useful to have a build server from a security point of view because a malicious app author would simply not upload the source to avoid detection. A build could be useful for other reasons-- such as to make sure that the app is built in a clean environment, etc, but I'll let others comment on that too. [1]https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement [2]https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement/Manifest#Click -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- Mailing list: https://launchpad.net/~ubuntu-phone Post to : ubuntu-phone@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
