Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

zero install - serious critiques?

0 views
Skip to first unread message

David M. Besonen

unread,
Jan 13, 2006, 9:20:20 AM1/13/06
to
hi all,

i have recently been reading about the zero install
system as a result of my interest in the rox desktop.

i personally would prefer to use rox with apt.
however, it seems the rox devs are primarily packaging
for zero install.

anyhow, is there any reason i wouldn't want to use
zero install? any glaring problems it creates? the
zero install website only has Good Things to say about
zero install (not a surprise as much as a
disappointment - nothing is perfect).

for reference:
http://zero-install.sourceforge.net/filesystem.html
http://zero-install.sourceforge.net/compare.html


peace,
david


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Joris Huizer

unread,
Jan 13, 2006, 10:10:17 AM1/13/06
to
David M. Besonen wrote:
> hi all,
>
> i have recently been reading about the zero install
> system as a result of my interest in the rox desktop.
>
> i personally would prefer to use rox with apt.
> however, it seems the rox devs are primarily packaging
> for zero install.
>
> anyhow, is there any reason i wouldn't want to use
> zero install? any glaring problems it creates? the
> zero install website only has Good Things to say about
> zero install (not a surprise as much as a
> disappointment - nothing is perfect).
>
> for reference:
> http://zero-install.sourceforge.net/filesystem.html
> http://zero-install.sourceforge.net/compare.html
>
>
> peace,
> david
>
>

you may see this as some problem:

"Isn't running stuff off the net a security risk?
Isn't that where you get your software from anyway? Zero Install
automatically performs a number of checks for you (such as checking MD5
sums and GPG signatures), and since it doesn't run any of the remote
code as root, you can try software out safely as a 'guest' user. Once
downloaded, the programs are run from the cache, without even checking
the original sites for updates (you have to tell it to update manually)."

That means: no security updates or whatever I guess

regards,

Joris

David M.Besonen

unread,
Jan 13, 2006, 1:50:13 PM1/13/06
to
On Fri, 13 Jan 2006 15:51:20 +0100, Joris Huizer
<joris...@planet.nl> wrote:

>you may see this as some problem:
>
>"Isn't running stuff off the net a security risk?
>Isn't that where you get your software from anyway? Zero Install
>automatically performs a number of checks for you (such as checking MD5
>sums and GPG signatures), and since it doesn't run any of the remote
>code as root, you can try software out safely as a 'guest' user. Once
>downloaded, the programs are run from the cache, without even checking
>the original sites for updates (you have to tell it to update manually)."
>
>That means: no security updates or whatever I guess

right. this problem is part and parcel of all gnu/linux "bundled
application" solutions that are available atm iirc. no? a trade-off
of less security for greater ease of use by the enduser.

the upside seems to be that the end-user is less likely to fubar the
whole os if they zero install some malware since the zero install
system says it confines all activity to user space. am i
understanding this correctly?

peace,
david

Joris Huizer

unread,
Jan 13, 2006, 2:30:08 PM1/13/06
to
David M.Besonen wrote:
> On Fri, 13 Jan 2006 15:51:20 +0100, Joris Huizer
> <joris...@planet.nl> wrote:
>
>
>>you may see this as some problem:
>>
>>"Isn't running stuff off the net a security risk?
>>Isn't that where you get your software from anyway? Zero Install
>>automatically performs a number of checks for you (such as checking MD5
>>sums and GPG signatures), and since it doesn't run any of the remote
>>code as root, you can try software out safely as a 'guest' user. Once
>>downloaded, the programs are run from the cache, without even checking
>>the original sites for updates (you have to tell it to update manually)."
>>
>>That means: no security updates or whatever I guess
>
>
> right. this problem is part and parcel of all gnu/linux "bundled
> application" solutions that are available atm iirc. no? a trade-off
> of less security for greater ease of use by the enduser.
>
> the upside seems to be that the end-user is less likely to fubar the
> whole os if they zero install some malware since the zero install
> system says it confines all activity to user space. am i
> understanding this correctly?
>
> peace,
> david
>
>

Yes I think so :-)
Their security page states, "there's nothing a user can do with Zero
Install that they couldn't do without it"
(note that I do not have experience with zero install, just assuming
their information is correct ;-))

regards,

Joris

Noah Dain

unread,
Jan 13, 2006, 3:10:13 PM1/13/06
to

wow. http://zero-install.sourceforge.net/compare.html reads like "get
the facts".

"Debian has three separate places where software is installed"
What user cares where the package installed? As long as the software
works, what's the problem?

"Our student just wants to run the software."
Good for 'our student'. However, he doesn't own that machine, now
does he? He is not responsible for the operation of said machine
either. He is however, supposed to use the system within the the
policy dictated by the administrator, school, etc. Being able to run
whatever you want, could just be an issue in some scenarios. So what
now? Have the administrator have to black or whitelist an endless
list of packages? No thx, not for this admin.

"Running anything as root is a security risk. If the Debian package
for AbiWord contains malicious code (or just a simple bug), it will be
running that code as root, with full power to do anything it likes to
the machine."
Well, if you can't trust the software you are installing, much less
the system it is being installed upon, well, I'll just leave it at
that. (so really, a non-issue)

"APT relies on a database to keep track of what's installed and what
isn't. This database must be kept in sync with the filesystem... if
the user deletes a file to save space, then APT will continue to think
that the file is installed."
Deleting a system installed file would require the user to have root
access. If this is the case, there is no system level security at
all. (yet another non-issue)

"APT often downloads more than you need. Some packages have been
split, for example 'python' and 'python-doc', but most packages
require you to download a considerable amount of data that you simply
don't need."
Eh? Methinks he's confusing debian/dpkg systems with some fairly
braindead, albeit popular, bloated packaging system. (swing and a
miss)

"Despite trying to download every file for every feature of a program
you might possibly need, APT still often fails to get things you want.
For example: install gqview and open an image. Choose 'Edit in Gimp'
from the menu, and you'll get an error complaining that Gimp isn't
installed."
That's why there are things like apt policies to install suggested
packages, or even auto-apt. (omg u loose agane!!!!11)

"APT is not scalable: Since every package is installed as root, every
package must be carefully checked by a trusted Debian developer."
Really now? News to me. Last I checked, debian, maybe ubuntu had the
most packages available of any linux distro. And again, security
actually matters to some people. Trust the debian team or trust ...
whoever. Riiiiiiight. (sorry, no dice)

and then they go on to say ...

"Anyone can make software available via Zero Install. Trust is for
individual users to decide, not the admin, since their choices only
affect them."
Oh, if that were only how computer security *actually* worked. Yes,
sometimes user code can be used to exploit root level vulnerabilities,
even under linux. Nice try, though.

and then, here: http://zero-install.sourceforge.net/filesystem.html
they describe how applications are cached, so that multiple users on
the same system only work off of one instance of a program in the
zero-install cache. So, exactly how is that only affecting one user
again? Right, it isn't. (BZZZZT!)

"APT must download the latest package listing for the whole archive
before doing anything."
Well, I have news for you. If you're on a slow enough connection that
you can't stand waiting for the packages list to download, just wait
until you try to install any software, either via apt or zero-install.
Yeah, go "zero-install" open office. (no cookie)

"Upgrading is very slow ... it requires downloading a vast amount of
software, most of which won't be used before it's upgraded again."
Oh yes, much better to run a system where the older software packages,
the ones with possible security issues, stay on the system the
longest. Brilliant!

Ok, I'll just stop there. Yeah, it's a really slow day at work ;-)


--
Noah Dain
"Single failures can occur for a variety of reasons that have nothing
to do with a hardware defect, such as cosmic radiation ..." - IBM
Thinkpad R40 maintenance manual, page 25

Chris Bannister

unread,
Jan 16, 2006, 6:10:11 AM1/16/06
to
On Fri, Jan 13, 2006 at 08:05:04PM +0000, Noah Dain wrote:
> "APT often downloads more than you need. Some packages have been
> split, for example 'python' and 'python-doc', but most packages
> require you to download a considerable amount of data that you simply
> don't need."
> Eh? Methinks he's confusing debian/dpkg systems with some fairly
> braindead, albeit popular, bloated packaging system. (swing and a
> miss)

Ummm, it is a criticism(sp?) heard by Slackware users about Debian.

--
Chris.
======
Reproduction if desired may be handled locally. -- rfc3

0 new messages