[packagekit] Treating untrusted and trusted operations differently

David Zeuthen david at fubar.dk
Mon Apr 21 18:13:24 PDT 2008 

On Tue, 2008-04-22 at 02:01 +0100, Richard Hughes wrote:
> On Mon, 2008-04-21 at 20:45 -0400, David Zeuthen wrote:
> > Then PackageKit is _broken_. Seriously. Think about it. You are creating
> > an abstraction over packaging systems. If you can't even support
> > different authorization levels for when a package is trusted vs. not
> > trusted then you have not really achieved much.
> 
> No, I'm saying that we can't pause a transaction half way through to ask
> for an auth depending on the status of a downloaded file. It's the same
> logic that we don't allow debian and ipkg scripts to ask random things
> and block the transaction during the install phase.

I don't think it's important to the user whether you are pausing or
canceling the transaction. To him it's all the same anyway. I think I
used the word "abort" by which I meant canceling a transaction. Sorry if
that wasn't clear.

> > Because, as I've tried to explain via private mail, there's a big fat
> > security problem in the way things works without this feature: At
> > best, PackageKit wouldn't be able to retain authorizations for
> > anything if you can't make this distinction.
> 
> I've tried to explain in my previous mail. Surely the fix is simple:
> make all transactions fail if _any_ of packages are not trusted (read
> has valid GPG key). The corner case of installing the livna rpm needs to
> be handled (as this is untrusted, and we need to install it so that we
> can add the key for other package installs. This can be done using the 2
> stage attempt like I explained earlier.

The two stage attempt would just be

  1. UI tries InstallPackage("~/Desktop/livna-release.9-1.noarch.rpm")

  2. PackageKit returns NotAuthorized with action='.install-untrusted',
     result='auth_admin_one_shot'

  3. UI calls into the PolicyKit authentication agent to gain an
     authorization for action='.install-untrusted'

  4. If the auth was obtained then we try again
     InstallPackage("~/Desktop/livna-release.9-1.noarch.rpm")

  5. This succeeds. We're done.

     (Btw, where do you import the keys? I think these are part of the
      Livna release RPM and will get automatically installed. Will the
      user get a say in this? And where will he get prompted? Just
      curious.)

My point, one of them anyway, that there's no point to pollute the API
with passing parameters trusted=TRUE or trusted=FALSE. It's all handled
by having two separate polkit actions: one for trusted software and one
for untrusted software. And you will need even authorizations for
installing trusted software as outlined before. And then it's all the
same to the users of the PackageKit API.

     David

More information about the PackageKit mailing list