After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 665452 - Very nice idea, but are there going to be safeguards in place soon?
Very nice idea, but are there going to be safeguards in place soon?
Status: RESOLVED NOTABUG
Product: website
Classification: Infrastructure
Component: extensions.gnome.org
current
Other Linux
: Normal normal
: ---
Assigned To: Shell extensions maintainer(s)
Shell extensions maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2011-12-03 06:21 UTC by Dean Loros
Modified: 2011-12-04 19:39 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Dean Loros 2011-12-03 06:21:01 UTC
I really like this idea, but it raises a interesting question---As the web page can interact with my operating system & install things without a root password---what safeguards are being contemplated? How is the site signed?

This "seems" (very loosely) to work kind of like a Ubuntu PPA--but without adding anything to a sources.list...Last thought is what kind of checking is being done on the extensions available?
Comment 1 Jasper St. Pierre (not reading bugmail) 2011-12-03 06:42:14 UTC
(In reply to comment #0)
> I really like this idea, but it raises a interesting question---As the web page
> can interact with my operating system & install things without a root
> password---what safeguards are being contemplated? How is the site signed?

The actual interaction between the web site and the system is done as a browser plugin. The browser plugin is especially careful to make sure that nobody but extensions.gnome.org can activate it -- it shuts itself off at the earliest opportunity if the domain of the site is not that.
Comment 2 Owen Taylor 2011-12-04 19:39:54 UTC
Some of the safeguards in place here:

 - The plugin can only be used from https://extensions.gnome.org and no other site (https is required - we don't allow http)

 - The plugin doesn't download plugins, it communicates over D-Bus with GNOME Shell to install plugins. What is sent to GNOME Shell is just the ID of the extension to install - so even if the first check is bypassed, the plugin still can't cause arbitrary plugins to be downloaded from other sites.

 - Before installing an extension, a dialog is displayed to the user to confirm that they intended to install an extension.

 - GNOME Shell separately communicates with extensions.gnome.org over HTTPS and checks the certificate validity. So, if the user was convinced to accept an invalid certificate for https://extensions.gnome.org as an exception in their browser, GNOME Shell still would catch that and refuse to install.

So, while I wouldn't rule out the possibility of an issue being found, we have multiple layers in place to reliably tie extension installation to https://extensions.gnome.org.