The officially official Devuan Forum!

You are not logged in.

#1 2024-04-21 18:53:26

Micronaut
Member
Registered: 2019-07-04
Posts: 226  

Another security concern

Now that the hoopla about the attempted supply chain attack via LZMA/XZ has settled down somewhat, I'd like to ask about something else that has been concerning me for a while.

What about all these 'portable' application formats? AppImage/Flatpak/Snap are the ones I am currently aware of. There might be more? Aren't these self-contained systems all to themselves, that might contain anything? Is anyone auditing their contents?

They're called 'sandboxes', but that's only in relation to the dependencies. They don't seem to be isolated from the user environment. They seem to have full user access to the systems they are installed in. Granted, that's not the same thing as root, but wouldn't Trojan horses in Linux user land be just as dangerous as Trojan horses in Windows user land have been?

It looks to me like this is another way around many of the checks on malicious content, and I wonder if anyone is paying attention.

Offline

#2 2024-04-22 08:40:06

Andre4freedom
Member
Registered: 2017-11-15
Posts: 172  

Re: Another security concern

These portable application formats are a security concern indeed.
So the security-aware and -conscious would stay away from them, certainly on the main system, and only allow software from the original stable Devuan-repos (not the testing or experimental repos!!) to be applied to your system.
If you want to test such external sources, then it's best done in VMs, they are quite well isolated from the host system.
Fooling around with resources made available to VMs can hamper the security of your host system.
I always trust to Devuan sources and some well trusted external, Linux-friendly applications.
I'm not a security expert, but looong Unix and Linux experience made me quite confident to know some very good rules.

Offline

#3 2024-04-22 08:50:50

pl
Member
From: /etc/fstab
Registered: 2024-04-12
Posts: 17  
Website

Re: Another security concern

Micronaut wrote:

Aren't these self-contained systems all to themselves, that might contain anything?

Ye, these are such "systems" and can contain de-facto anything. Though it applies to all of "foreign" software packages

Micronaut wrote:

Is anyone auditing their contents?

I doubt so. Smaller project for sure aren't 'cause of obvious lack of manpower

Micronaut wrote:

What about all these 'portable' application formats?

Avoid them where possible. If something is available only with snaps/flatpak, either compile it yerself or consider an alternative.
Appimages (and normal portable tarballs) at least don't have to be installed to system. Does it make them more secure? Idk

Offline

#4 2024-04-22 14:11:48

JWM-Kit
Member
Registered: 2020-06-29
Posts: 138  
Website

Re: Another security concern

Warning! My Long winded opinion smile

Micronaut wrote:

Is anyone auditing their contents?

This question hits at the heart of the matter.  The truth is any type of software package, archive, etc can be used to spread malicious content. An appimage isn't any less secure than a .deb.  The real concern is not the format, it's the source. You really can't go wrong if it comes from the Debian/Devuan repository. I only use these formats as a last resort. To be honest they are probably safer than using random packages from the AUR. At least the portable formats attempt to sandbox the software. Just a thought, not defending these formats.

I'm not going to limit myself to only the software provided in my distro’s repository, but on the flip-side I am skeptical, and examine foreign packages carefully.  A stance I believe many, if not most people take.  JWMKit is not in the Debian repository, but I can proudly say it is used by many. Quite a number of users directly use the packages provided on my sourceforge. I am very transparent and not only provide the project code, but also the methods used to create packages.  I think this kind of transparency encourages trust between users and developers.

My concern for these formats is more about not wanting to have corporate junk pushed onto me, and having unnecessary service running in the background. As for the security of these formats I think it’s an issue that can be resolved by pooling the resources of the community.

...but to be honestly I’m still hoping snaps and flatpaks fail.

Last edited by JWM-Kit (2024-04-22 14:15:01)

Offline

Board footer