After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 781895 - Flatpak remote names should be better handled
Flatpak remote names should be better handled
Status: RESOLVED FIXED
Product: gnome-software
Classification: Applications
Component: General
3.24.x
Other Linux
: Normal normal
: ---
Assigned To: GNOME Software maintainer(s)
GNOME Software maintainer(s)
: 791896 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2017-04-28 11:30 UTC by Mathieu Bridon
Modified: 2017-12-24 04:36 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Mathieu Bridon 2017-04-28 11:30:05 UTC 
When adding a remote from a .flatpakrepo file, I see its Title= and Comment= values displayed prominently.

But then when trying to install an app from that repo, what is displayed is the Comment= value.

And in the Software Sources dialog, what is shown is the name of the remote, which seems to be automatically set to the name of the file, without the .flatpakrepo extension.

I just discussed this with Alex in #flatpak, the local list of configured remotes and their names is a point of trust in the flatpak model.

The way Software currently handles that opens users to inadvertently installing malicious apps.

For example, I could add mozilla.flatpakrepo and silly-game.flatpakrepo, both of which have "Comment=Apps from Mozilla". The comment is not displayed very prominently in the source install dialog so I could easily miss it.

And then, I might end up install org.mozilla.Firefox from the silly-game remote, but Software will show me it comes from "Apps from Mozilla".

On the CLI, the user is expected to name the remote themselves, which is what creates the trust in where each app gets installed from. This might not be the best UX for Software though.
Comment 1 Alexander Larsson 2017-04-28 14:12:31 UTC 
In the design of flatpak the remote name is designed to be a trusted entity. You always name remotes yourself, and you always select the remote to install something from (directly by specifying it, or by accepting a prompt with the remote name). 

This is a fundamental point of trust in the security model, which is different from how e.g. apt or yum/dnf does it (there you just give the package name and it looks in all configured remotes for that name).

The reason for this is that we're likely to have more remotes in flatpak than in say yum, and some will have lower levels of trust than others.

We can't rely on things like flatpakrepo comments for this, because they are supplied by the repo source, and a malicious repo could claim to be something else.
Comment 2 Richard Hughes 2017-05-02 07:27:13 UTC 
For master:

commit 2ae02bf03baf5933c0a73a7c53bc0c54baf7fd3b
Author: Richard Hughes <richard@hughsie.com>
Date:   Fri Apr 28 17:11:56 2017 +0100

    Do not allow plugins to the origin title in the UI
    
    This can easily be spoofed with a malicious flatpakrepo or distro repo file.
    
    Fixes: https://bugzilla.gnome.org/show_bug.cgi?id=781895
Comment 3 Richard Hughes 2017-05-02 07:32:41 UTC 
For 3.22:

commit 4a147f3343acf6f608fad37606e72402b6107489
Author: Richard Hughes <richard@hughsie.com>
Date:   Tue May 2 08:29:53 2017 +0100

    Do not show the origin comment in the details page
    
    This can easily be spoofed with a malicious flatpakrepo or distro repo file.
    
    Fixes: https://bugzilla.gnome.org/show_bug.cgi?id=781895
Comment 4 John Ralls 2017-12-24 04:36:27 UTC 
*** Bug 791896 has been marked as a duplicate of this bug. ***