[SailfishDevel] [Minutes] Sailfish OS Open Source Community Collaboration Meeting, 5th of September 2016

Slava Monich slava.monich at jolla.com
Wed Sep 7 12:20:23 UTC 2016


Access to contacts is actually quite a good example. It may or may not 
require access to the network, depending on how it's implemented at Qt 
plugin level. Should every app that needs contacts declare that it needs 
network access even if the app itself doesn't use the network?

Or it could require access to certain parts of the filesystem that by 
default is disallowed. How is application supposed to figure that out in 
order to request appropriate privileges?

To make matters worse, the plugin requirements may change over time, 
meaning that a system upgrade may break the app because the app didn't 
request access to some features required by the updated plugins.

The only sure way to protect the app against surprises like that is to 
request access  to pretty much everything. Which is the way it is now. 
So way bother?

Having full source code available (in merproject git repo) and making 
sure that the app is built from those sources in Mer OBS and signed (by 
Jolla?) would be a good start, in my opinion. Still it doesn't guarantee 
that the app has no rogue functionality built in, but the community may 
help to examine the source code. The more popular the platform is, the 
more apps we have, the more security conscious people are willing to 
check the sources - that sounds fairly scalable to me.


> Slava,
> Apps would have to declare what they need to function, and then the 
> sandbox is in place to ensure that they can only use what they declare.
> This doesn't solve apps declaring they need full access to everything, 
> but at least there are some assurances to the user that if they expect 
> an app wont need access to the contacts list, that its not poking 
> around in there. Expecting everyone to check the source code (if 
> available) is not a very user friendly solution, and asking Jolla to 
> hand verify all apps in the store isn't very scalable either.
> On Wed, Sep 7, 2016 at 11:23 AM, Slava Monich <slava.monich at jolla.com 
> <mailto:slava.monich at jolla.com>> wrote:
>     I feel a bit sceptical.
>     If the system supports plugins, i.e. shared libraries discovered
>     at runtime and getting loaded into the process context without
>     executable knowing it in advance (like Qt does), then the
>     application doesn't even know what kind of resources it actually
>     needs at runtime to function properly.
>     The next thing you do after you introduce sandboxing, you start
>     adding ways to get around sandbox limitations, which in the end
>     defies the whole purpose. Or you severely limit the usefulness of
>     3rd party apps. Sounds like a lose-lose situation.
>     Any 3rd party app is a risk, especially the native ones,
>     especially those that come unsigned and without the source code.
>     If you don't want to take the risk, you don't install 3rd party
>     apps. That works better than any kind of sandboxing.
>     Cheers,
>     -Slava

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.sailfishos.org/pipermail/devel/attachments/20160907/5fe65ddb/attachment.html>

More information about the Devel mailing list