XDG-APP and D
Joseph Rushton Wakeling via Digitalmars-d-announce
digitalmars-d-announce at puremagic.com
Sat Apr 23 08:41:38 PDT 2016
On Saturday, 23 April 2016 at 15:13:15 UTC, Anonymouse wrote:
> But that's more or less what he's saying though, if you read
> his original blog post. His gripe isn't that it's defect
> security-wise, but rather that it's being marketed as capital-s
> Safe.
Except that his original blogpost is just saying something that
has already been made perfectly clear in Ubuntu's technical
outreach, and announcing it as if it's a new discovery of an
issue that wasn't already known.
See e.g. https://youtu.be/lHO8j8uo5Z4?t=1127
> As long as programs run under the X protocol, everything is up
> for grabs. Snappy doesn't change that fact at all, so widely
> claiming it makes it impossible to steal data would be
> cherry-picking Mir behaviour.
Not entirely, because snap packages will have to specify that
they wish to access X, and that opens up various scenarios both
for package review and for the user to decide if that is
acceptable for them -- again, see the video posted, a short while
later: https://youtu.be/lHO8j8uo5Z4?t=1202
> At least, that's what Canonical assert. It's true in a sense -
> if you're using Snap packages on Mir (ie, Ubuntu mobile) then
> there's a genuine improvement in security.
... which is probably the widest use-case for snap packages ...
> But if you're using X11 (ie, Ubuntu desktop) it's horribly,
> awfully misleading. Any Snap package you install is
> completely capable of copying all your private data to
> wherever it wants with very little difficulty.
It's only "misleading" if (i) you discount the
already-publicly-stated caveats about the limitations of snappy
packages on an X11-based desktop and (ii) you discount the fact
that snappy-packed apps must _request_ access to the X server and
that precautions are being taken for how this is handled.
On the other hand, I feel it's distinctly misleading for someone
to write a blog post saying, "Hey, I found a security flaw!"
without mentioning either that the people responsible for the
software have already publicly stated as much, _or_ the steps
that they are taking to mitigate that.
When it comes from an author who already has previous form for
attempting to whip up public drama around Ubuntu's projects,
usually distorting the truth in the process, you'll forgive me if
I don't feel some level of cynicism about his motives.
More information about the Digitalmars-d-announce
mailing list