26 Jan 17, 03:32PM
(25 Jan 17, 10:49PM)stef Wrote: My guess: you will wait for the debian packages that you included to update (and those updates to be distributed, like every other user). Do you agree, that this is an additional step, that is only delaying the deployment of security fixes to users?
For now and as I use debian libraries (Actually ubuntu libraries as I'm building on Xenial) yes, I will wait for patches and then launch a new update. Yeah, I agree this is an additional and possibly unnecessary step. Once I get a working build of AC, then I'll ask Launchpad/Snapcraft engineers a way to build and launch new updates automatically when one of those libraries gets a security patch.
(25 Jan 17, 10:49PM)stef Wrote: You have fallen prey to the snappy advertising. Any compromised application endangers the user's data - which is the relevant part. A compromised debian package can affect OS and other installed stuff, but that's what package signing is for. A compromised application is a problem with or without snappy, since history shows, that there are always unfixed privilege escalation bugs around somewhere.
I totally agree user data is the most critical part to protect, snappy is just focused on integrity of OS and apps, but not its data itself, there's no magical software that can do everything well (Yet...). I don't want to say more things about snappy, just focus on package AC, but even apps that have root can't access what it's not allowed to (Except its own data, of course).
As I see it right now, the sandbox it's not a way to protect apps forever, it's just a protection mechanism to give enough time to developers to launch security updates, but yeah, it doesn't protect the package's own data if compromised and I know the sandbox it's not perfect and might have security bugs, but It's better than nothing, don't you think? Now the most important part: Is there any kind of sensible data that might get saved on AC?
Now I just want to focus on package AC, ask snappy engineers recommendations, pass your requirements, upload to the store and keep updating it. I'll send you what I'm working on if you're interested when I finish it.
PD: Can we continue to have this conversation on PM or another thread? I think this thread is not appropriate to talk about this and I want to close it.