How can I use docker without sudo?

Question

nealmcb

Asked: 2017-05-29 12:58:56 +0800 CST2017-05-29 12:58:56 +0800 CST 2017-05-29 12:58:56 +0800 CST

Ubuntu-make (umake) security: package signatures?

772

ubuntu-make (umake) can be used to install the latest version of a variety of popular developer tools.

How secure is this process and how does it compare to the security built in to apt-get, such as digital signatures via keys that are not stored on the repository servers, secure, automated updates when security vulnerabilities are identified in tools, etc.? Apt has an apt-secure man page with details on the apt approach to security. Does umake have anything like that?

Does umake, or the processes that create the packages it delivers, check any digital signatures on the underlying packages, including e.g. Maven Central signatures? How are the signature keys vetted? Does the process create any signatures that umake, in turn, automatically checks? These steps seem important, as discussed at Is Maven a plausible vector of attack? - Information Security Stack Exchange

I see that umake doesn't do updates yet (updating tools · Issue #74). Is there any way to determine whether a given installed tool is out-of-date, so you know when to do the "remove/reinstall" workaround? Is there any way to check installed umake tools for security vulnerabilities? Is the archive of packaged tools and any associated version and security metadata available for inspection directly over the web? If not, is it available via umake? What format are the packages and metadata in?

Finally, are there any plans to use The Update Framework (TUF) to really deal with software updates in a secure way?

1 Answers

Voted

serv-inc · Answer 1 · 2017-07-04T12:45:41+08:00

serv-inc

2017-07-04T12:45:41+08:002017-07-04T12:45:41+08:00

I could not find a complete answer to this, either. Just one aspect:

Ubuntu make recently failed to install a package due to the wrong checksum, so there seems to be some checking. See f.ex. https://github.com/ubuntu/ubuntu-make/issues/457 and https://github.com/ubuntu/ubuntu-make/issues/346.

This does not state where the hashes are stored etc, but at least a MD5 checksum seems to be computed.

Update: seems like some packages have a GPG signature. See Error(s) while installing Android Studio using umake.

Update 2: seems like, for android, they just download the checksum from the same HTML page that also has the download link. See the repo, which says

"""Parse Android download links, expect to find a sha1sum and a url"""

0

Ubuntu-make (umake) security: package signatures?

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?