[arch-general] Announcing pacpak

Levente Polyak anthraxx at archlinux.org
Sun Jul 10 14:45:37 UTC 2016 

On 07/10/2016 11:05 AM, pelzflorian (Florian Pelz) wrote:
> [...] Bundles ship with the version
> of their dependencies which they need. Dependencies are not
> force-upgraded with the operating system, but easily upgradable by the
> bundle creator.

We, as the Security Team, are strongly against any move to officially
ship bundles that manage their dependency versions itself instead of
regular software builds.

In our opinion this will (sooner or later) lead to a security nightmare
with vulnerable dependencies and slow upstream to fix such bundles. This
approach multiplies the effort of tracking vulnerabilities in
libraries from one entity to an "infinite" amount of upstream bundle
creators.

This whole concept makes our security work either highly inefficient or
not possible at all. We have no interest in investigating all pinned
versions of all bundles to ensure every shipped software is indeed
properly fixed.

> 
> Flatpak allows you to run, say, a sandboxed and containerized copy of
> LibreOffice where opening an infected file can only cause harm to what
> the sandbox has access to, but not compromise the integrity of the
> system as a whole. Untrustworthy games can be isolated and run without
> fear of a system compromise. More generally, most GUI applications
> should probably be installed to and run from a Flatpak sandbox.

This is simply not true and in fact just an illusion. The whole
security of containers entirely depend on kernel namespacing (and maybe
cgroups against system-wide denial-of-service).
All containers are sharing the very same kernel, any vulnerability and
exploit against such will ultimately lead to a whole system compromise.
The general trend of evangelizing that all fear should entirely be
abandoned because containers can't possibly compromise the integrity of
the whole system is wrong, self-defeating and dangerous.

> 
> This has major implications for traditional package managers. Pacman
> would be demoted to providing the base system on top of which Flatpak
> bundles downloaded from elsewhere are run (e.g. from gnome.org or from
> reallytheofficialwebsiteoflibreofficeipromise.com).

Just to make our (Security Team) opinion clear: We are strictly against
such move (on a distribution level of scale) and strongly advise
against it. We are very aware of the whole arguments and reasons of the
advocator, however, this is our point of view.

Also to be clear: We don't want to speak out against your project or
discredit it in any means! Feel free to create and use whatever you like
and makes you happy. We are just strongly against officially
shipping bundles instead of regular software builds.

sincerely,
Levente

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20160710/76b66bc9/attachment.asc>

More information about the arch-general mailing list