mediagoblin-userops
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Userops] Userops Acid Test v0.1

From: Olivier Mehani
Subject: Re: [Userops] Userops Acid Test v0.1
Date: Wed, 4 Nov 2015 09:53:39 +1100
User-agent: Mutt/1.5.24 (2015-08-30) 
On Tue, Nov 03, 2015 at 02:25:10PM -0800, Asheesh Laroia wrote:
> > I think the auto-update approach has a problem: it means that every
> > application becomes its own package manager.  I don't think we're going
> > to reduce the complexity of our systems via this approach.  I already
> > have too many package managers to handle!  Each of my applications
> > having one won't make things easier for me, I think.

I agree with the disagreement with auto-update. You want one package
manage to rule them all, or at least a very small number thereof.

> If a prescriptive approach ("You MUST auto-update to be userops compliant")
> doesn't work for you, I wonder if you'd prefer an empirical one -- for
> example, userops researchers should be scanning a random sample of
> installed systems of Debian's new web app packaging, guix, sandstorm, etc.
> and finding out if people are vulnerable to security bugs in outdated web
> apps.
> And I'm not *sure* this is the best approach to finding out empirically if
> people are vulnerable to app bugs, but IMHO this is a hugely serious issue
> (as per blog post I linked-to; the bugs defeat all user privacy on these
> Etherpads) so I think the Userops "Is this system good or not?" would be
> remiss to not consider app bugs one way or another.

That's a good idea. Beyond auto-update, one thing that, for example,
Wordpress does is to send you email about new version. Not necessarily
installing them, but letting you know about that, so you know something
needs to be done. I wouldn't have issues with any web-app sending me an
email about being out of date. There is a privacy issue with pinging
home, though.

One better option would be selective subscription to update and CVEs:
your system knows what packages are installed. Everyday, it could
download a fresh version of the new CVEs (and similar for version, but
this is really what apt already does), check the list for any
package you have installed, and send you a personalised email telling
you what's wrong with your system. All locally.

-- 
Olivier Mehani <address@hidden>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655
Confidentiality cannot be guaranteed on emails sent or received unencrypted.

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]