undefined | Better HN

0 points616c9y ago0 comments

Well, that is my problem.

I want such things to exist, but I am not sure how they are controlled. The emphasis is on my lack of knowledge, not lack of tooling. Many of them are rapidly iterating and docs are so-so, despite xdg-app (nee Flatpack) being around for a while. This one is a reincarnation, if memory serves.

http://flatpak.org/ (They refer to xdg-app IRC and ML addresses)

So this is my main concern.

It is amazing most system administrators equate formal installation and ability to execute as 1:1 on Windows,OSX, and Unix environments. In most cases, I can extract executables from MSIs and use them from an admin install. Only more experienced people pick up on this (believe me, I am still new to this and it was years of sysadmining with skilled people to have this click in my mind when I started).

So why do I care? Software Restriction Policies and AppLocker and such are a pain. Executable signing and the infrastructure around it in OS X are a pain, and MAC systems in Linux are a pain. This brings real benefits to users, local non-privileged app installs on these systems, and these mitigation countermeasures mean more work for sys-admins, many who will never know in distros like Ubuntu it is on by default with kiosk machines.

Some of us developed Linux only kiosk machines for a reason: I could whittle that attack surface down real nice. Sadly, on every system that gets attention, it's a battle we lose, to get philosophical.

As a

0 comments

2 comments · 1 top-level

alexlarsson9y ago· 1 in thread

Installing in the users homedirectory is not a new feature added by these systems though, its always been possible. If you want to avoid that you have to e.g. mount /tmp and /home noexec, or use e.g. selinux policies to do the same. This will stop flatpak/snappy as well as any other approach for per-user apps.

616cOP9y ago

I do not dispute this. However, it adds all dependenices and dynamic loaded libraries (or static?) in most cases. So bundling applications to dupe users is increasingly easy.

I guess it just appearances. Perhaps it has always been this easy. But I predict with Ubuntu and more "user-friendly" distributions will make this a store.

Returning to the AppPlay debacle, this means that analogy will lead us to the "Google Play Store is increasingly filled with malware" scenario we fear.

Linux distros had secure distribution so right for so long. I see this as a step in the wrong direction.

j / k navigate · click thread line to collapse