Web lists-archives.com

Re: Limiting the power of packages

On 2018-10-03 23:30, Antoine Beaupré wrote:
> There
> are somewhat low-hanging fruits in there like declarative maintainer
> scripts.

I am very much in favour of declarative maintainer scripts!
AFAIK, Niels Thykier has done a lot of work there, while Ralf
Treinen and colleagues are analysing maintainer scripts - they
even wrote a shell script parser, that is not a shell itself.

However, I would not try to see this work too much as means of
defense against malicious deb packages. This leads to a wrong,
non-achievable goal. I see it as a means to provide better
quality, predictable system state, and safety against bugs.

> Compared
> with the security models of iOS or Android, we still have quite a lot of
> work to do to make sure (say) my IRC client cannot steal my bank
> credentials or (the horror!) vice-versa. ;)