[gnome-software: 1/2] gs-app-context-bar: Improve handling of non-sandboxed applications
- From: Philip Withnall <pwithnall src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-software: 1/2] gs-app-context-bar: Improve handling of non-sandboxed applications
- Date: Thu, 16 Sep 2021 12:16:57 +0000 (UTC)
commit bdaffd23102a6099e4ee86150ee2546fc077e503
Author: Philip Withnall <pwithnall endlessos org>
Date: Thu Sep 16 10:20:34 2021 +0100
gs-app-context-bar: Improve handling of non-sandboxed applications
Non-sandboxed applications (basically anything provided by standard
RPM or DEB distro packaging) has ‘unknown’ permissions in
gnome-software’s internal model. Previously, this fact was stated
explicitly (“Software has unknown permissions”).
That’s not particularly helpful to users. They don’t know what the
permissions are, or what having unknown permissions means for how an
application can be trusted. There’s a large amount of RPM/DEB packaged
software out there and distros actually do a pretty good job of vetting
it for malicious things. While the lack of sandboxing for such
applications means that bugs in them can be exploited with sometimes
wide-ranging effects (full access to the user’s home directory, for
example), the applications can be trusted.
Let the user know that explicitly. Instead of saying the permissions are
unknown, say that an application is not sandboxed and either comes from
a (trusted) distribution repo, or from a (potentially less trusted)
third party repo.
For GNOME 42 we can look at differentiating on the basis of sandboxing
even more explicitly by (potentially) introducing a ‘trusted’ state for
the tiles as a counterpoint to ‘safe’. It’s too late in the 41 cycle for
that, though. See
https://gitlab.gnome.org/GNOME/gnome-software/-/issues/1451 for that.
The differentiation between distro repos and third-party repos is done
on the presence of the `GS_APP_QUIRK_PROVENANCE` quirk, which is set by
the `provenance` plugin. In order to work correctly, this requires
distros to configure the list of trusted repo IDs in the
`org.gnome.software.official-repos` GSettings key. Fedora, for example,
does this as a step in the gnome-software package install process.
(See
https://src.fedoraproject.org/rpms/gnome-software/blob/rawhide/f/gnome-software.spec#_130.)
As part of this, this commit removes the old handling of
`GS_APP_QUIRK_PROVENANCE`: the strings weren’t entirely helpful, and it
didn’t have a converse implemented.
Signed-off-by: Philip Withnall <pwithnall endlessos org>
Fixes: #1450
src/gs-app-context-bar.c | 36 ++++++++++++++++++++++++------------
src/gs-safety-context-dialog.c | 39 +++++++++++++++++----------------------
2 files changed, 41 insertions(+), 34 deletions(-)
---
diff --git a/src/gs-app-context-bar.c b/src/gs-app-context-bar.c
index 6799a26b4..7eab047a2 100644
--- a/src/gs-app-context-bar.c
+++ b/src/gs-app-context-bar.c
@@ -352,12 +352,33 @@ update_safety_tile (GsAppContextBar *self)
}
}
- if (permissions == GS_APP_PERMISSIONS_UNKNOWN)
+ /* Unknown permissions typically come from non-sandboxed packaging
+ * systems like RPM or DEB. Telling the user the software has unknown
+ * permissions is unhelpful; it’s more relevant to say it’s not
+ * sandboxed but is (or is not) packaged by a trusted vendor. They will
+ * have (at least) done some basic checks to make sure the software is
+ * not overtly malware. That doesn’t protect the user from exploitable
+ * bugs in the software, but it does mean they’re not accidentally
+ * installing something which is actively malicious.
+ *
+ * FIXME: We could do better by potentially adding a ‘trusted’ state
+ * to indicate that something is probably safe, but isn’t sandboxed.
+ * See https://gitlab.gnome.org/GNOME/gnome-software/-/issues/1451 */
+ if (permissions == GS_APP_PERMISSIONS_UNKNOWN &&
+ gs_app_has_quirk (self->app, GS_APP_QUIRK_PROVENANCE))
+ add_to_safety_rating (&chosen_rating, descriptions,
+ SAFETY_SAFE,
+ /* Translators: This indicates that an application has been packaged
+ * by the user’s distribution and is safe.
+ * It’s used in a context tile, so should be short. */
+ _("Reviewed by your distribution"));
+ else if (permissions == GS_APP_PERMISSIONS_UNKNOWN)
add_to_safety_rating (&chosen_rating, descriptions,
SAFETY_POTENTIALLY_UNSAFE,
- /* Translators: This indicates that we don’t know what permissions an
app requires to run.
+ /* Translators: This indicates that an application has been packaged
+ * by someone other than the user’s distribution, so might not be safe.
* It’s used in a context tile, so should be short. */
- _("Software has unknown permissions"));
+ _("Provided by a third party"));
/* Is the code FOSS and hence inspectable? This doesn’t distinguish
* between closed source and open-source-but-not-FOSS software, even
@@ -377,15 +398,6 @@ update_safety_tile (GsAppContextBar *self)
* It’s used in a context tile, so should be short. */
_("Auditable code"));
- /* Does the app come from official sources, such as this distro’s main
- * repos? */
- if (gs_app_has_quirk (self->app, GS_APP_QUIRK_PROVENANCE))
- add_to_safety_rating (&chosen_rating, descriptions,
- SAFETY_SAFE,
- /* Translators: This indicates an app comes from the distribution’s
main repositories, so can be trusted.
- * It’s used in a context tile, so should be short. */
- _("Software comes from a trusted source"));
-
if (gs_app_has_quirk (self->app, GS_APP_QUIRK_DEVELOPER_VERIFIED))
add_to_safety_rating (&chosen_rating, descriptions,
SAFETY_SAFE,
diff --git a/src/gs-safety-context-dialog.c b/src/gs-safety-context-dialog.c
index 02cc49789..890543070 100644
--- a/src/gs-safety-context-dialog.c
+++ b/src/gs-safety-context-dialog.c
@@ -125,16 +125,23 @@ update_permissions_list (GsSafetyContextDialog *self)
permissions = gs_app_get_permissions (self->app);
- /* Handle unknown permissions. */
- add_permission_row (self->permissions_list, &chosen_rating,
- (permissions == GS_APP_PERMISSIONS_UNKNOWN),
- GS_CONTEXT_DIALOG_ROW_IMPORTANCE_WARNING,
- "dialog-question-symbolic",
- _("Unknown Permissions"),
- _("The permissions needed by this app aren’t known"),
- NULL, NULL, NULL);
-
- if (permissions != GS_APP_PERMISSIONS_UNKNOWN) {
+ /* Handle unknown permissions. This means the application isn’t
+ * sandboxed, so we can only really base decisions on whether it was
+ * packaged by an organisation we trust or not.
+ *
+ * FIXME: See the comment for GS_APP_PERMISSIONS_UNKNOWN in
+ * gs-app-context-bar.c. */
+ if (permissions == GS_APP_PERMISSIONS_UNKNOWN) {
+ add_permission_row (self->permissions_list, &chosen_rating,
+ !gs_app_has_quirk (self->app, GS_APP_QUIRK_PROVENANCE),
+ GS_CONTEXT_DIALOG_ROW_IMPORTANCE_WARNING,
+ "channel-insecure-symbolic",
+ _("Provided by a third party"),
+ _("Check that you trust the vendor, as the application isn’t sandboxed"),
+ "channel-secure-symbolic",
+ _("Reviewed by your distribution"),
+ _("Application isn’t sandboxed but the distribution has checked that it
is not malicious"));
+ } else {
add_permission_row (self->permissions_list, &chosen_rating,
(permissions & GS_APP_PERMISSIONS_NONE) != 0,
GS_CONTEXT_DIALOG_ROW_IMPORTANCE_UNIMPORTANT,
@@ -304,18 +311,6 @@ update_permissions_list (GsSafetyContextDialog *self)
_("Auditable Code"),
_("The source code is public and can be independently audited, which makes the
app more likely to be safe"));
- /* Does the app come from official sources, such as this distro’s main
- * repos? */
- add_permission_row (self->permissions_list, &chosen_rating,
- gs_app_has_quirk (self->app, GS_APP_QUIRK_PROVENANCE),
- GS_CONTEXT_DIALOG_ROW_IMPORTANCE_UNIMPORTANT,
- "test-pass-symbolic",
- /* Translators: This indicates an app comes from the distribution’s main
repositories, so can be trusted.
- * It’s used in a context tile, so should be short. */
- _("App comes from a trusted source"),
- _("Your distribution has verified that this app can be trusted"),
- NULL, NULL, NULL);
-
add_permission_row (self->permissions_list, &chosen_rating,
gs_app_has_quirk (self->app, GS_APP_QUIRK_DEVELOPER_VERIFIED),
GS_CONTEXT_DIALOG_ROW_IMPORTANCE_UNIMPORTANT,
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
