Installer adds PPA on Ubuntu/Debian which changes user's git version & exposes user to untrusted software #138
Comments
|
Additionally, log messages throughout indicate installation of packages like git even if the installer will be skipping installation due to an existing binary. Edit: I see this particular comment is already covered in issue #49 |
4 tasks
rcj4747
changed the title
Open
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
The installer adds a Personal Package Archive ppa:git-core/ppa without disclosing this to the user. There are 3 issues 1) trust/security, 2) unspecified requirements, and 3) broken install logic.
Trust/Security
Adding the PPA violates user trust and exposes users of this CLI to an attack vector. Ubuntu users are strongly cautioned "Only add software repositories from sources that you trust! Third-party software repositories are not checked for security or reliability by Ubuntu members, and may contain software which is harmful to your computer."
Explicit Version Requirements
The PPA for git-core is added which will install the latest upstream git version. This is performed without respect to the current version of git installed on the system. Nowhere is a minimum version for git specified. If we knew what the minimum required version for git we might not need to diverge from the version shipped in the Linux distribution. And if the installed/distro version was too old you could install from the distro version and prompt the user to decide if they want to trust a 3rd party PPA.
Broken Install Logic
After adding the PPA the git install logic doesn't even install the newer git as long as some version of git is present. So this is adding an untrusted software source to my workstation, not explicitly updating to the software from the PPA, and I'll get a version bump as some point in the future when I update packages and have no connection of that to this installer. Furthermore, you never remove the PPA in the uninstall script.
The addition of a PPA without consent is troubling. It is not clear that the absolute latest version of git is actually needed (or what I lose if I don't allow a non-distro git release). But combined with issue #44 "No checksum validation of downloaded files" and this being an unsigned installer which instructs the user to curl from the internet and pipe to sh projects a lack of concern about security.
Steps to reproduce
(include tooling version, platform, etc)
Operating System
Specify: (MacOS, Linux, Windows)
Ubuntu Linux 19.04
Supporting details
(Logs, stack traces, images, etc. Wrap in
<detail> ... </detail>tags as appropriate)No logs; I won't run the installer.
Development "done" checklist
The text was updated successfully, but these errors were encountered: