Integration script prompt leads to untrusted download

Bug #1059576 reported by Aaron Bentley on 2012-10-01
This bug affects 2 people
Affects Status Importance Assigned to Milestone
packagekit (Ubuntu)
unity-firefox-extension (Ubuntu)

Bug Description

When prompted "integration script avaliable unity-webapps-launchpad", if I click "Install", I get "The software is not from a trusted source. Do not install this package unless you are sure it is safe to do so."

If Ubuntu's Firefox is going to recommend this download, it should be trusted software.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity-firefox-extension (Ubuntu):
status: New → Confirmed
Michael Terry (mterry) wrote :

Apparently a lot of people do not get this. I do though, and I note that the packages are coming from universe. So I'm not sure what the beef could be.

Michael Terry (mterry) wrote :

mvo thinks this is because I have packagekit installed, and firefox is preferring that over aptdaemon. packagekit doesn't have the whitelist for webapps that aptdaemon does, so it makes sense that it would prompt for a password, but that doesn't yet explain why the warning mentions that it is not a trusted source.

Aaron Bentley (abentley) wrote :

I also have packagekit installed, so that could indeed be the cause.

Matthias Klumpp (ximion) wrote :

If this is the case, someone would need to implement this in PackageKit's Aptcc backend to make it work... Why do you need that whitelist anyway, it looks like a very weird idea to me... Is there a spec page about this feature?

Changed in packagekit (Ubuntu):
importance: Undecided → Wishlist
Michael Terry (mterry) wrote :

I'm not sure about a spec page. But the whitelist is just for a smoother experience. As I recall, aptdaemon whitelists packages from universe that match a webapps regex. Because it's a feature of Ubuntu out of the box, it makes it more seamless.

But there are two issues here. One is that it's asking for a password at all (the whitelist request) and the other is that it's suggesting a package from universe is not from a trusted source.

Matthias Klumpp (ximion) wrote :

Exactly.... And to be honest, I dislike that feature if it is implemented that way... Why do I have to install packages for *web*-apps anyway? And if they are trusted, wouldn't it make more sense to add them directly to main?
Also, a whitelist is not very flexible...

Sebastian Heinlein (glatzor) wrote :

Hello Matthias, Therry and Aaron,

Mvo is right: If packagekit is installed next to aptdaemon on the same system it will be preferred when performing a packagekit action. That is a feature since aptdaemon is the default and if an user decided to install packagekit he/she seems to wants to use it.

Canonical (Mvo) provided a branch which was now merged into aptdaemon and which allows to install highly trusted packages without the need for any authentication by the desktop user. It is the decision of the distribution which packages from which repo are regarded highly trusted. This can be confgured by dropping a small configuration file. To be honest I am not a big fan of this feature neither, but it seems to be a requirement by Ubuntu.

As a side node: Some time ago PackageKit even allowed a desktop user to install any trusted software without any authentication - but this was regarded as a security issue by large parts of the Fedora community. And so it was reverted.

AFAIK the implementation of this feature in PackageKit would require some re-designing of the PackageKit internals since the daemon asks for the authentication before moving the (trans)action to the backend which is aware of the highly trusted packages. The transaction needs to be simulated before to know if any highly trusted packages are affected.



To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers