On 11 Oct 2024 11:56 +0100, from debian-u...@howorth.org.uk:
> I think the point is not about what actually happens now, but what
> might happen in future if some evil actor gets access to mozilla's
> repository and injects some malware into it.
>
> And thus the degree of trust that ought to be given to the repository
> and the degree of trust that it ought to ask for out of the box.
Correct. They don't need that degree of trust for the stated purpose;
therefore, them encouraging users to grant that degree of trust is
inappropriate. Default should be least privileges required.
There are other ways to do it, of course, such as in case they
anticipate distributing additional packages that way in the future.
For example, they could prefix every package they ship with something
like "mozilla-official-" ("mozilla-official-firefox",
"mozilla-official-thunderbird", "mozilla-official-whatever", ...) and
restrict the pin to packages matching that prefix only. A hypothetical
"mozilla-official-firefox" could then declare in its package metadata
a conflict with "firefox" and "firefox-esr" as those are the package
names used by the official Debian repositories for the same software.
It wouldn't prevent them (or a malicious actor who gains control over
their repository infrastructure) from publishing packages that are not
what they claim to be, of course; but the tools are available to limit
the ability of such an act causing damage.
The same argument would apply to a repository from any other actor as
well. Mozilla's just happened to be the one that came up in this
particular thread.
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
