[packagekit] 1-click; Third party vendors; etc.

Klaus Kaempf kkaempf at suse.de
Mon Jun 2 10:22:06 PDT 2008


* Jan Niklas Hasse <jhasse at gmail.com> [Jun 02. 2008 19:03]:
> I think OCI is a very bad idea. Clicking on "Install this!" I'm not
> only trusting a vendor to install a program on my machine, but to run
> code as root!
> If I'm a developer of a very popular program, I could people tell to
> use OCI to get it. When a certain amount of people downloaded my
> software, I could provide an update which contains malware inside its
> post-remove script. How long do you think it takes someone to find
> out? By that time I could have easily stolen many of passwords and got
> enough money to disappear :-)

Please explain how this is different from the usual 'rpm for
distribution XYZ -> download here' links posted on project websites.

Users click there, download and install it. Installation is done as
root and the package can run all sorts of bad things in it %post
section.
The only difference I can see is that between download and install,
you can inspect the package binary and look at the scripts within. Do
people do this ?

Klaus



More information about the PackageKit mailing list