[FFe] passwordless install of webapps (based on repo whitelist)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
aptdaemon (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
For the unity-webapps work the webapps team would like to install packages that only
contain unity-webapps passwordless for a better user experience. They are regular packages but of a very simple form, essentially just a javascript file and a icon and no
maintainer scripts.
My proposal would be to add a new class of policykit action:
"org.debian.
This can then be override by the webapps package via /var/lib/
The whitelist of the repository would be based on "Origin,Components" and packagename regexp. So something like: (LP-PPA-
/etc/aptdaemon/
This is all implemented now and I would like to ask for a feature freeze exception to add
this into current quantal.
Note that this feature is generic enough to be useful other use-cases like internal company repositories that are trusted.
Related branches
- Michael Vogt: Needs Resubmitting
- Martin Pitt (community): Approve
-
Diff: 821 lines (+506/-36)14 files modifiedaptdaemon/core.py (+31/-1)
aptdaemon/policykit1.py (+4/-1)
aptdaemon/test.py (+15/-5)
aptdaemon/utils.py (+1/-0)
aptdaemon/worker.py (+112/-16)
data/org.debian.apt.policy.in (+24/-0)
tests/data/high-trust-repository-whitelist-broken.cfg (+10/-0)
tests/data/high-trust-repository-whitelist.cfg (+10/-0)
tests/repo/whitelisted/Packages (+34/-0)
tests/repo/whitelisted/Packages.gpg (+34/-0)
tests/repo/whitelisted/Release (+17/-0)
tests/test_client.py (+1/-0)
tests/test_high_trust_repository_whitelist.py (+201/-0)
tests/test_worker.py (+12/-13)
tags: | added: ca-escalated |
summary: |
- passwordless install of certain apps + passwordless install of webapps (based on repo whitelist) |
Changed in aptdaemon (Ubuntu): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in aptdaemon (Ubuntu): | |
status: | Triaged → In Progress |
description: | updated |
The approch seems fine to me, those don't really have lot of code and those websites can already be accessed without password from a web browser anyway, I would still like to get the security team opinion on the topic though, installing random .js from the web in an easy way is somewhat a bit scary ;-)