Xfce users in Zero Install survey

[Thomas Leonard]

On Thu, 04 Oct 2007 20:54:26 +0200, Nick Schermer wrote:
[...]
> I've no problems supporting other projects, but the launcher is not the
> right place to implement zeroinstall.

I should give a bit of background on why it's done this way, because if
you think of this as "the installer" then it clearly doesn't make much
sense putting it in the panel, and it would be quite right to separate
it out. (sorry, this is a bit long!)

To set the scene:

- Linux is rapidly gaining popularity.

- There is a significant risk that large numbers of Windows users will
  switch to Linux over the course of the next few years.

- If they do, the spammers and malware will come too.

Taking a standard Ubuntu/feisty install as an example (since it seems to
be the most popular system; most others are similar), this is how a
user typically installs a (3rd-party) minesweeper game onto their
computer:

1. Click on a link to .deb package in a web-page.
2. Package is downloaded. Confirmation box appears saying "This is a
   cool game".
3. User clicks on "Install".

By contrast, if a user wants to install a root-kit on their machine,
and have all their key-presses and browsing activity logged to a remote
machine, the steps are:

1. Click on a link to .deb package in a web-page.
2. Package is downloaded. Confirmation box appears saying "This is a
   cool game".
3. User clicks on "Install".

Note that this might even be what the user wanted (e.g. a company that
requires all actions to be recorded for auditing purposes might install
such a package).

No matter how good our security software gets, it can't protect us from
this, because the actions are identical; the computer has no way to know
what the user intended to do.

The most likely response of the distributions will be to block
third-party software. You can already see this attitude in the
currently-rare cases of existing malware (or just plain stupidity, e.g.
the Sumsung printer drivers that made OpenOffice setuid root). This hurts 
minority-appeal software (and new programs), because they don't get 
included in distributions.

There are two ways we can change the installation user interface to fix
this. One is to display a (series of) confirmation box(es) asking the
user to confirm what the package wants to do ("Program wants to install
a menu entry Games/Minesweeper [Deny/Allow]", etc).

The problem here is that confirming all the actions is tedious and error
prone. Most packages are OK, and you can only click "Allow" so many
hundred times in a row before you stop reading the questions.

The other option, which I'm trying to use here, is to have a different
gesture for each case. When you drag a program (e.g. Blender) onto the
panel's launcher dialog, these things happen:

1. Zero or more archives will be downloaded and unpacked. Each will
   unpack to a new, uniquely named directory. They will not overwrite or
   interfere with any other programs or files on your computer.

2. A launcher will be added to the menu you dragged it to.

Nothing else will happen. No downloaded code is executed. Nothing on
your system will break (well, unless you ran out of disk space ;-).
There is no need to confirm adding the item to the menu, because the 
user's action shows what they intended to do.

[ Insert standard disclaimer. All software has bugs. The above is how
  it's *designed* to work. ]

On the other hand, if you want to install a root-kit with Zero Install:

$ sudo 0launch http://example.com/minesweeper.xml

Here we use a different gesture, because we want to execute something as
root, not add a launcher to a menu. My goal is to make this second case
rare enough that people might actually think about it before doing it,
or even rare enough that they don't need to be given root access in the
first place.

Likewise, if you wanted to add a firefox plugin, that would be a
different gesture again (maybe dragging to firefox's list of plugins
dialog). So, there is no single "installer", just various integration
points, one of which is the Xfce panel.

Now, because of the rather coarse-grained ("root" or "user") security 
domains we have at present, when you click on a launcher in the Xfce 
panel the program still gets to do anything your user can do. So, the only
security advantage is containing something in a user account rather than
giving it root. My hope is that, in future, people will combine it with
sandboxing software to actually run the programs in a restricted way.

Current options include Plash (which lets you set policies such as "When
I click on a PDF file, run Acroread with read access to only that one
file, and write access nowhere"), and seccomp (a process can't open any
files at all; useful for codecs etc).

Anyway, that's the background. Even if you don't buy the security stuff
("it'll never work!") it still makes installing easier IMO, and helps to
avoid accidents.


-- 
Dr Thomas Leonard		http://rox.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1