Open sonnyp opened 4 months ago
That's just not feasible without reviewing every new build manually. There's no meaningful way we can automatically detect the module that holds the actual app (and even then, what if a dependency gets substituted?) and flag URL changes there.
There's no meaningful way we can automatically detect the module that holds the actual app (and even then, what if a dependency gets substituted?) and flag URL changes there.
For this to be meaningful all urls need to be monitored anyway otherwise the malicious code could hide in a dependency.
Relevant conversation https://matrix.to/#/!xFJJgxGKItHQPfstha:matrix.org/$Xi__lwHlaYQNVP7sMSNLdAoz1jUULsyUCSncawuDERY?via=matrix.org&via=gnome.org&via=kde.org
I agree with the concern that it can significantly increase the amount of review work. To clarify, I had in mind to only trigger a review when new domains are in use.
Perhaps and to get started we can start with optin (flag unverified crypto apps) or only review domain changes for unverified apps.
This is a follow up from a conversation around https://popey.com/blog/2024/02/exodus-bitcoin-wallet-490k-swindle/ and how Flathub is vulnerable.
We already do pretty well with
For practical purpose we don't review all manifest changes. However, reviewing domain changes would go a long way in preventing malware from making their way in via manifest updates.
Consider the following scenario
I propose to add manual reviews for new domains in source download urls.
Domains is used loosely here and we should consider also reviewing changes in well known source providers such as
github.com/*/*
Something to watch out for is IDN homograph attacks.One possible optimization would be to remove manual reviews if a verified app only downloads from its verified domain.