RE: Extension security?

From: Gabriel Rossetti <gabriel rossetti trafigura com>
To: "Jasper St. Pierre" <jstpierre mecheye net>, Milan Bouchet-Valat <nalimilan club fr>
Cc: gnome-shell-list <gnome-shell-list gnome org>
Subject: RE: Extension security?
Date: Tue, 6 Dec 2011 08:11:36 +0000

Ok, thank you to both of you!

Cheers,
Gabriel

-----Original Message-----
From: gnome-shell-list-bounces gnome org [mailto:gnome-shell-list-bounces gnome org] On Behalf Of Jasper St. Pierre
Sent: 05 December 2011 23:30
To: Milan Bouchet-Valat
Cc: gnome-shell-list
Subject: Re: Extension security?

Also:

https://bugzilla.gnome.org/show_bug.cgi?id=665452

On Mon, Dec 5, 2011 at 5:23 PM, Milan Bouchet-Valat <nalimilan club fr> wrote:
> Le lundi 05 décembre 2011 à 23:14 +0100, Gabriel a écrit :
>> Hi all,
>>
>> I may be missing something, but the really nifty extensions site
>> prompted me to ask this, are there not potential security issues with
>> extensions being able to be installed by clicking on a webpage? Ans
>> since extensions are able to modify the way the UI behaves, could
>> someone not make one that steals users' info, make screenshots, steal
>> passwords (like emulating the login screen for example), etc?
> (Note this applies to any random third-party package users might install
> by clicking on a link and providing their password.)
>
>> I'm sure you thought of all this so I be interested in knowing how you
>> protect us (sandboxing, limiting the things API can do, not allowing
>> access to the HD except thought given functions, etc).
> This has been discussed on this list previously. See
> http://lwn.net/Articles/459786/ for a summary and links.
>
> Basically, the Shell ensures the extension comes from
> extensions.gnome.org, which requires a review of the code by other
> hackers; and it will never install/update extensions without user action
> (modal dialog). But once installed, extensions are not sandboxed and can
> do whatever they want to the Shell, or to your files (just like any app
> on the system).
>
>
> Cheers
> _______________________________________________
> gnome-shell-list mailing list
> gnome-shell-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-shell-list

--
  Jasper
_______________________________________________
gnome-shell-list mailing list
gnome-shell-list gnome org
http://mail.gnome.org/mailman/listinfo/gnome-shell-list

________________________________

This email and any attachments are confidential and access to this email or attachment by anyone other than the addressee is unauthorised. If you are not the intended recipient please notify the sender and delete the email including any attachments. You must not disclose or distribute any of the contents to any other person. Personal views or opinions are solely those of the author and not of Trafigura. Trafigura does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. By communicating with anyone at Trafigura by email, you consent to the monitoring or interception of such email by Trafigura in accordance with its internal policies. Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted.

References:
- Extension security?
  - From: Gabriel
- Re: Extension security?
  - From: Milan Bouchet-Valat
- Re: Extension security?
  - From: Jasper St. Pierre

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]