Web lists-archives.com

Re: Limiting the power of packages




On 04.10.2018 01:19, Carl-Valentin Schmitt wrote:
> It would be a possibility, for safety to create a new directory only for
> brandy 3rd-party-software like skype, Google Chrome, Swift, and else
> Software where huge companies are Sponsors.
>  
> This would then mean, to create a second sources list for 3rd-party-links.

We don't need to add anything to dpkg/apt for that - there's a simpler
solution:

Automatically fetch those packages from the vendor and collect them into
our own repo, but run a strict analysis before accepting anything.
Rules could be strictly limiting to certain filename patterns, file
modes (eg. forbid suid or limit to certain owners), no maintainer
scripts, etc, etc. We could either filter out anything suspicious or
reject the package completely (maybe even automatically filing
upstream bugs :p).

Yes, that would have to be customized per-package, but we're only
talking about a hand full of packages, anyways.


What's really important for me: don't add more complexity on the
target apt/deb for these few cases, unless *absolutely* *necessary*


By the way: we can put aside the whole Skype issue for the next few
month, as it's completely broken and unusable anyways - for several
month now. We could reconsider once the Upstream (Microsoft) manages
get it at least running w/o segfaulting.


--mtx

-- 
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@xxxxxxxxx -- +49-151-27565287