On tor, 2016-11-17 at 11:38 +0100, Kalev Lember wrote:
On 11/17/2016 10:48 AM, Alexander Larsson wrote:
The problem is when the runtime is *not* installed. The untrusted remote could claim to have an "org.gnome.Platform" runtime, which will then be installed, and at this point you're affecting another app.
Is it possible to use cryptography here to make this a bit more safe and easier to use? Instead of just matching "org.gnome.Platform" name, apps could maybe also require that "org.gnome.Platform" is signed with a certain key? And then we could do automatic install if we can find a runtime with matching signature? Also, maybe different "org.gnome.Platform" runtimes signed with different keys should be parallel installable?
We could pre-install a configuration for an individual runtime like org.gnome.Platform, which includes a GPG key, and then that could be used automatically. This essentially happens now I think. At least there was a discussion about including preconfigured remotes for fedora.
However, assuming this is a runtime we know nothing about, and some app A depends on it. What prohibits app B to say it depends on that runtime name, but supplying a different url for it *and* a different GPG key.