Re: Limiting the power of packages
- Date: Thu, 4 Oct 2018 20:16:10 +0200
- From: Ralf Treinen <treinen@xxxxxxx>
- Subject: Re: Limiting the power of packages
On Thu, Oct 04, 2018 at 11:07:37AM +0200, W. Martin Borgert wrote:
> On 2018-10-03 23:30, Antoine Beaupré wrote:
> > There
> > are somewhat low-hanging fruits in there like declarative maintainer
> > scripts.
> I am very much in favour of declarative maintainer scripts!
> AFAIK, Niels Thykier has done a lot of work there, while Ralf
> Treinen and colleagues are analysing maintainer scripts - they
> even wrote a shell script parser, that is not a shell itself.
Indeed, our goal is to do QA on maintainer script and to detect
(possibly) buggy ones, in the sense that they may fail in a
unforeseen situation, or do stuff which the script is not supposed
to do. One of the difficulties is of course to know what it is
supposed to do, and what it must never do. Having a declaration
of what the maintainer thinks are the possible effects of a script
would certainly help us. In that case we could try to infer the
possible effects of a script and check that they do not exceed
what is declared.
> However, I would not try to see this work too much as means of
> defense against malicious deb packages. This leads to a wrong,
> non-achievable goal. I see it as a means to provide better
> quality, predictable system state, and safety against bugs.
yes, safety against a malicious attacker is a completely different
league. As Guillem has explained in his mail it is very difficult to
achieve due to the presence of many different attack vectors, and
their possible interaction.