GNOME Bugzilla – Bug 781895
Flatpak remote names should be better handled
Last modified: 2017-12-24 04:36:27 UTC
When adding a remote from a .flatpakrepo file, I see its Title= and Comment= values displayed prominently. But then when trying to install an app from that repo, what is displayed is the Comment= value. And in the Software Sources dialog, what is shown is the name of the remote, which seems to be automatically set to the name of the file, without the .flatpakrepo extension. I just discussed this with Alex in #flatpak, the local list of configured remotes and their names is a point of trust in the flatpak model. The way Software currently handles that opens users to inadvertently installing malicious apps. For example, I could add mozilla.flatpakrepo and silly-game.flatpakrepo, both of which have "Comment=Apps from Mozilla". The comment is not displayed very prominently in the source install dialog so I could easily miss it. And then, I might end up install org.mozilla.Firefox from the silly-game remote, but Software will show me it comes from "Apps from Mozilla". On the CLI, the user is expected to name the remote themselves, which is what creates the trust in where each app gets installed from. This might not be the best UX for Software though.
In the design of flatpak the remote name is designed to be a trusted entity. You always name remotes yourself, and you always select the remote to install something from (directly by specifying it, or by accepting a prompt with the remote name). This is a fundamental point of trust in the security model, which is different from how e.g. apt or yum/dnf does it (there you just give the package name and it looks in all configured remotes for that name). The reason for this is that we're likely to have more remotes in flatpak than in say yum, and some will have lower levels of trust than others. We can't rely on things like flatpakrepo comments for this, because they are supplied by the repo source, and a malicious repo could claim to be something else.
For master: commit 2ae02bf03baf5933c0a73a7c53bc0c54baf7fd3b Author: Richard Hughes <richard@hughsie.com> Date: Fri Apr 28 17:11:56 2017 +0100 Do not allow plugins to the origin title in the UI This can easily be spoofed with a malicious flatpakrepo or distro repo file. Fixes: https://bugzilla.gnome.org/show_bug.cgi?id=781895
For 3.22: commit 4a147f3343acf6f608fad37606e72402b6107489 Author: Richard Hughes <richard@hughsie.com> Date: Tue May 2 08:29:53 2017 +0100 Do not show the origin comment in the details page This can easily be spoofed with a malicious flatpakrepo or distro repo file. Fixes: https://bugzilla.gnome.org/show_bug.cgi?id=781895
*** Bug 791896 has been marked as a duplicate of this bug. ***