GNOME Extensions install allowed
Open, Freedom IssuePublic

Description

I did a simple search for UTC, and it offered a software package, I selected it and then got the alert to ask if I wanted to install from extensions.gnome.org which raised some concerns about third-party software installing...

I don't think I tainted my system (through other forms of testing) to have that show-up, so am filing this ticket to see if it can be validated against a pure PureOS install, and if so, then it can be discussed if that is proper policy or a freedom issue.

todd created this task.Sep 22 2018, 4:05 PM
jonas.smedegaard added a subscriber: jonas.smedegaard.

Reassigning to Matthias, our expert on AppStream (including what and how much PureOS has derived from Debian in that area).

mak added a comment.Sep 22 2018, 5:51 PM

I am not sure I understand the problem - what is the issue here? That extensions can be downloaded from GNOME?
Since we trust GNOME already, I don't think it makes sense to disallow that in GNOME software, especially because doing so means people will have trouble installing GNOME extensions.

Installed the latest ISO in Boxes. "UTC" did not come up in search.

todd added a comment.Sep 24 2018, 7:29 PM

Chat history on the subject from #community-pureos:talk.puri.sm

Todd
11:52AM
So, to confirm, our Software center does indeed send requests outside of pureos.net? And outside of our hosting?
If so then we can move forward on what the policy should be.

Matthias
12:05PM
Todd: Yes, GNOME Software communicates with services hosted by the GNOME Project

Todd
12:05PM
ok, thanks. Now we can move onto the policy if that is seen as acceptable (e.g. do we deem no third-parties to be allowed, or do we deem approved third-parties to be allowed)...

Matthias
12:07PM
jup

Todd
12:07PM
I will dig a little on the policy, but would like to hear from Jonas on that policy topic, and Kyle Rankin on the (obvious) issue of third-party packaging being utilized.
12:07PM
(or anybody with an opinion that is rooted in reason)

Matthias
12:09PM
trusting some third parties would seem preferrable to me, because anything else means we would either ship software with degraded functionality (which is a disservice to its developers and users) or host our own disconnected services, which requires resources and will not be able to offer the same range of content

Todd
12:14PM
Matthias: I can see that IF that third-party (e.g. GNOME in this case) adheres to the same strictures that we do (and in turn the FSF does), then it would be "part of the ethical island" we can pull from. So that part seems like I could get past. The other part of tainting outside our pureos singular ethical group from a security standpoint is something I'm still thinking on... (e.g. to compromise a PureOS system, compromise any host on the island, rather than only within PureOS)

Matthias
12:16PM
I am not exactly sure what you mean with the last part of the sentence, but of course as with any code that is user contributed, someone could upload some malicious extension to GNOME Extensions and users can compromise their system with it in case they install it, until GNOME detects the bad script and removes it
12:17PM
but that's a problem inherent to these systems, unless every single thing gets a review before being published, which is such a massive amount of work that not even vendors like Google do it

dos
12:20PM
from the security point of view it should be no different from just finding some extension on the web and installing it from there. it should be made clear to the user what they are about to install, where it comes from, that it's user contributed and that it can be dangerous etc.; obviously the user can install whatever they want if they really want, even something dangerous and evil, so you can't stop them, but if you're presenting something to them then it's your responsibility to inform them what it is. so IMO that would be all about the UX (not sure how it looks like at the moment in GNOME Software, I'm a Plasma user)
12:23PM
(FWIW, KDE apps have contained a similar mechanism for years already, but I wouldn't say that it's perfect from this point of view)

Todd
12:28PM
the ticket I pasted above shows the "warning" that highlighted this issue to me... "Download and install 'UTCClock' from extensions.gnome.org?

dos
12:29PM
if there's nothing more than that, I'd consider it not enough

Matthias
12:29PM
dos: GNOME Software is always very clear about where stuff is coming from, in this case it even shows the origin in the system authorization dialog.
Adding some "this could be dangerous because $potentially_untested_user_contributed_content" infobox as well likely isn't the worst idea though (that needs to go through the design team though)

Todd
12:30PM
I'll paste this chat in the ticket, and then wait on Kyle and Jonas and others to chime in then we can escalate the policy discussion further... (into GNOME, with FSF, etc.)

Matthias
12:32PM
sounds good

dos
12:32PM
Matthias: that would make a big difference. if I'm not familiar with how extensions system works, "from extensions.gnome.org" looks for me just like "from GNOME", so why shouldn't I install it if I trust GNOME? ;)

Matthias
12:33PM
dos: It's the same as installing things from addons.mozilla.org, which is also not "from Mozilla" technically
8+
James Rufer
2:49PM
It didn't show up in search for me. Latest ISO.

todd added a comment.Sep 24 2018, 7:30 PM

@james.rufer does any GNOME extensions appear? (this would be the answer to only packages from approved PureOS.net and it would be counter to what Matthias mentioned in the chat history @ 12:05)... So I want to confirm that...

@todd It seems to me that your question at 11:52 was ambiguous: I guess you intended to ask about _default_ behaviour, and to me it is more likely that Matthias answered only about _ability_ - i.e. that Software center sends requests outside of pureos.net if told to do so. Therefore I disagree that @james.rufer's test is counter to @mak's answer.

I believe we need to understand not only _if_ but also _how_ Software center can reach a state where it sends requests outside of pureos.net.

Possibilities that I can imagine:

a) Software center contacts other hosts than pureos.net without any explicit confirmation from the user - i.e. by default
b) Software center contacts other hosts than pureos.net only after the user confirming a suggestion
c) Software center contacts other hosts than pureos.net only after the user overrides a discouragement
d) Software center contacts other hosts than pureos.net only after the user spells out the host otherwise not mentioned at all

Case a) is forbidden by FSF (but arguably tolerated by Debian). Should IMO be forbidden by us.
Case b) is forbidden by FSF (but tolerated by Debian). Should IMO be forbidden by us.
Case c) is tolerated by FSF (and acceptable by Debian). Should IMO be discouraged by us (e.g. not actively enabled if disabled in Debian).
Case d) is acceptable by both FSF and Debian. Should IMO be acceptable by us.

mak added a comment.Sep 25 2018, 9:16 AM

@james.rufer GNOME Software will fetch an extension list when run under GNOME Shell. So, you'll need to run it in a GNOME Shell session and the GNOME site has to be reachable. Try refreshing the software index (refresh button in GNOME Software) in case information is missing.

todd added a comment.Sep 25 2018, 8:16 PM
d) Software center contacts other hosts than pureos.net only after the user spells out the host otherwise not mentioned at all

Case d) is acceptable by both FSF and Debian. Should IMO be acceptable by us.

This seems like what I would have assumed. The only middle-ground would be using an approved *just-as-strict* repo, so pureos.net + extensions.gnome.org (IF extensions.gnome.org == FSF endorsed).

@james.rufer it looks like @mak has one more thing for to test to confirm what state we are in (from Jonas's list).

No, "middle-ground" is some other option - possibly one of these:

e) Software center contacts other hosts than pureos.net or other hosts endorsed as FSDG-free by FSF only after the user spells out the host otherwise not mentioned at all
f) Software center contacts other hosts than pureos.net or other hosts assumed by Purism to be FSDG-free by FSF only after the user spells out the host otherwise not mentioned at all

I suspect neither e) nor f) is tolerated by FSF. That's why I didn't list those previously.

Sorry, above was inaccurate: I _do_ expect FSF to tolerate _FSF_ hosts as "middle-ground" but not e.g. "extensions.gnome.org".

Even if FSF should tolerate "middle-ground" - be it their own hosts or hosts of e.g. GNOME, I recommend that Purism forbid that anyway. Reason is that we cannot offer our users a trustworthy system if we are not the only gatekeepers of what gets installed.

Add Comment