-
-
Notifications
You must be signed in to change notification settings - Fork 559
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate peer-to-peer AppImage distribution #175
Comments
That would be a really cool feature. When someone on my local network has downloaded the app already, i can download it from him. But it needs to be verified. Is there something like a has for every AppImage from upstream? Otherwise cheap IoT devices from china could send you infected AppImages. |
Like, a GPG signature? Currently these are separate files (outside of the AppImage), but we could also append them to the AppImage (=make them part of the AppImage). |
I tried IPFS out the last two days and read a lot about. It has hashes integrated to find the right content. So you get the content you request. Downloading files is easy. Here you get the lastest official Subsurface AppImage: There is also |
Also check Ethereum https://www.ethereum.org/ |
@probonopd How would that help to distribute AppImages? Another technology like IPFS is WebTorrent. You seed while you are on the website. |
@davidak not sure yet; didn't check it in detail yet. Regarding WebTorrent, who stays on a single webpage for so long? Probably more suited to video distribution than apps. |
Check the Keybase filesystem: Public, signed directories for everyone in the world. https://keybase.io/docs/kbfs, very promising.
And
But:
|
Also see the Dat project https://datproject.org/ and the Beaker Browser https://beakerbrowser.com/ built on top of it. Also see https://twitter.com/probonopd/status/925106318796578818 |
A few thoughts from the Beaker Browser team
|
@pfrazee sounds promising. If you want to investigate binary delta updating, you can check out zsync(2), which is based on the same algorithms that rsync uses. It calculates a meta file for an existing file, containing a set of hashes (calculated by chunking a file into blocks with a specified blocksize and hashing the blocks using a specified hashing algorithm). I'm sure it's possible for you to make use of the functionality in this library. Heck, I could even imagine zsync2 supporting Dat as a URL scheme. |
I've thought a lot about Web of Trusts recently for application deployment (AppImage related), and they'll apply to generic content as well. Often, PGP's WoT is used as a reference for working Web of Trusts. When building a WoT from scratch, one can use pretty much the same methods and structures PGP established. Sure, it'll take a while to get people to use it, and build a large base of trusted users so that a certain level of security is reached. The algorithms and structures are proven in the real world, and despite they haven't ever reached the majority of email users, they are secure and work fine. However, no WoT is really immune against malicious attacks. It's fairly easy to manipulate a WoT. Let me give you an example: Transferring those thoughts to application distribution, as said, 10 minutes can be enough for an attack to do a lot of harm for your users. As research in the field of anti virus shows, 10 minutes can be enough for something like ransomware or computer worms to spread across a lot of computers. This is similar to zero days, they can be fixed within the same 10 minutes, and even if the fix would be deployed immediately, the ransomware can have infected 100s of 1000s of computers and thus have dealt a lot of damage. I could provide a list of references, but as we've all heard of it before, I don't think it's necessary. Therefore, I am trying to construct some more secure trust models for the AppImage ecosystem. For the desktop integration via appimaged or (even better) the desktop environment itself, I'd imagine a trust model similar the one PPAs on Ubuntu established. We'd allow users to trust keys AppImages are signed with by adding them to a separate user specific key ring. (Distributions could even ship with a global keyring, such as openSUSE with it's openSUSE build service, which builds AppImages and signs them with the OBS key). AppImageUpdate could eventually implement the same idea, by issuing a warning for unknown keys, and once they are trusted and the new file's matches the old key, the upgrade will just be performed. On a key change, it should clearly state that the new key differs from the old one, and ask the user whether to trust the new one, and whether the old one should be removed. I think that's a fairly secure trust model for AppImage, using some established structures, being not too complicated and easy to implement by users with our existing zsync based infrastructure. TL;DR: Coming back to Dat, I don't think a web of trust will provide any real security to your users, for the reasons stated above. People should not ultimately rely on it, and for application deployment, where foreign code is supposed to be executed on others' machines, I would never ever rely solely on a Web of Trust. For static websites and other harmless contents, it might work to some extent, but thinking of a browser, when it comes to JavaScript, things get problematic again. So, if you design a Web of Trust which is not subject to any of those issues, please make sure to notify us, because I'm really interested in the topic. If it'd fit our needs, I'll consider using it for AppImageUpdate, too! |
We need to redefine the WoT away from how PGP defined it. The pure "human friends only" model is way too slow-moving, and the measure of transitive trust was a fairly limited form of graph analysis. The new definition should be based on a set of features:
Cryptographic networks like Dat give a richer dataset to analyze. All interactions are logged in the network, and become signals for graph analysis. So, inconsistencies should be more detectable. For instance, if multiple "Paul Frazees" start getting followed, a crawler should be able to notify me and I can react by flagging them. Then, as with any graph analysis, the computed trust is a matter of choosing good starting nodes (and doing good analysis). For bootstrapping trust, we use auditable key distribution nodes, which ought to be the job of orgs and services. We can use auditable contract systems like nodevms to back these kinds of servers. They will then use CAs to identify themselves. So, again: a combination of CA-secured channels and app-generated trust signals. Direct in-person signatures could still be used, perhaps initially only for high-risk tasks like software distribution. That would be the sort of thing where the user accounts of the org and devs have published special "trust" objects on Dat, which are in turn used by software-installers. But-- that question is basically pushed into application space, since any app can decide how to do its trust analysis on top of the crypto networks. So, perhaps instead of calling it a Web of Trust, we need to think of it as a "Trust Platform," because we're putting trust signals into the application space as a primitive to work with. Regarding the risk of the attack window, with any automated decision based on trust, such as installing software, there's always the option of putting in a time delay. "This software must be published for 24 hours with no 'withdrawal' signals from X set of users before being installable." |
What I mean with "web of trust" is really not specific to applications but I guess has been/needs to be solved for a peer-to-peer Web browser as well. After all, an AppImage is just a file, like a HTML file. In both cases I want to have certainty that what claims to be coming from, e.g., @pfrazee (just standing in as an example here), is actually coming from @pfrazee and has not been altered in between - be it a HTML page or an AppImage. The more difficult question is whether @pfrazee can be trusted - be it with information or software originating from him. An indication may be who else is following him. So in summary, I believe a peer-to-peer Web browser needs to address the very same questions somehow, and if they are adequately solved for Web browsing, then we can also use the very same concepts for software distribution. Agree? |
@probonopd I think that's exactly right. |
You're right, it's probably better to avoid calling this "Web of Trust", as I guess many people associate PGP's model with that term. I have to admit I'm not too much into blockchain technology or stuff like smart contracts which are built on top of it. All this sounds quite interesting, but also far from being mature right now, unfortunately. Is there a roadmap, set of definitions or specifications or any other data where interested people could get informed about your plans? I'll be thinking about what you said about the trust model that an application scenario like "app update distribution" could put on top of it. I see what you mean with the withdrawal signals, but I couldn't imagine how to realize that, since there's a paradox: You don't want to publish updates until a "crowd-sourced" trust has been reached, but how would that be possible without pushing updates to at least some users? A/B like testing might work, but the e.g., 10% of users, who would receive the update right away are put at an unacceptable risk of getting malware on their systems (they might not even be able to push a withdrawal request into the network, depending on the effects of the malware). Right now I'm not 100% sold of the concept, but I'm confident that a constructive discussion might lead to a working model. If you could point me to a place where you discuss those things, I'll have a look as soon as possible. By the way, I think it might be worth to talk to some bigger projects like openSUSE, too, who provide trustworthy AppImages (they sign the AppImages they publish with their pubkeys, so they might be a reasonable institution to "seed trust" in the network. All in all, Dat and Beaker sound interesting for distribution right now, but I'd leave aside its web of trust when implementing it in AppImageUpdate, I'd rather continue to use a more conservative trust model like the one I suggested. |
By the way, I'd like to invite you into our IRC channel, #AppImage on Freenode. |
What establishes trust today?
What might establish trust in the future? |
No, this is just a set of ideas we're forming as we build with dat & beaker. I agree that it's too early to go into production-mode with using a new trust model on top of Dat. I think Dat's a great protocol to distribute images, but I'd still use existing code signature techniques on top of using Dat.
That's not I'm suggesting there. You'd already have a trust network established for the release: that is, the pubkeys you trust to publish or withdraw a release. The purpose of the delay would be to give the owning orgs a chance to notice and react to a compromise in those trusted actors. So, a simple example scenario that could work right now: you have an app you build, and the .appimage is signed by your dev laptop (1 sig). Somebody steals your laptop and publishes a compromised version. If there was a 24 hour delay before clients auto-download the update, that'd give you time to access the .appimage host and take down the bad version. Same idea here.
Joined! |
I wrote an article a while back, when I was working on SSB, that tried to summarize a lot of reading I did on trust and reputation analysis. It's overly dense, but the research I linked to was good http://ssbc.github.io/docs/articles/using-trust-in-open-networks.html Reacting to some of your points @probonopd HTTPS & DNS do have the problem you mention -- you can phish using "close enough" domain names. It happens pretty frequently. Graph & reputation analysis - The issue of "SEO gaming" is true. The Advogadro project (see my article) had decent success. It depends on the usecase; if false positives/negatives are dangerous, then you can use graph analysis more as a suggestion. Stars & user signals - If you filter the stars/signals by "people you follow" or "people in your network" or some similar tool, you improve the value of that signal, but lose potentially good source that you're just not connected. This is why you might want a single node to try to globally crawl and rank everybody -- they can potentially tell you which stars to trust and which ones not. How? |
Someone already had mentioned this idea 12 years ago in an article about klik (AppImage predecessor):
|
User stories
This implies:
Option 1: ipfsWritten in Golang, which means one single binary runs without much hassle pretty anywhere. There is even a C implementation: https://github.com/Agorise/c-ipfs To be investigated: Just running the ipfs daemon without using it seems to significantly slow down other download traffic on the machine/in the network. Setting up ipfs
Adding an AppImage to ipfsOf course,
Download this through the browserhttp://localhost:8080/ipfs/QmZKVvm9jdF7TTfg8LEWMMsoinDxJEFMVybfzGUfs3dkKB https://ipfs.io/ipfs/QmZKVvm9jdF7TTfg8LEWMMsoinDxJEFMVybfzGUfs3dkKB <-- global link Works! But only as long as the machine is online. To change that: http://ipfsstore.it/submit.php?hash=QmZKVvm9jdF7TTfg8LEWMMsoinDxJEFMVybfzGUfs3dkKB This will store it for 30 days and longer if someone sends BTC to the address displayed. Now, to make this into a redundant cluster, we could set up Range requests are apparently supported: See web interfaceZeroConf
It is not used to announce files on the LAN, however (we would need to do this ourselves). Delta updateshttps://ipfs.io/blog/17-distributions/ says:
So, it looks like that while we can continue to use zsync it may not even be needed? Deduplication between different AppImage filesAsked for opinions re. intelligent chunking for better deduplication on the IPFS forum, https://discuss.ipfs.io/t/ipfs-for-appimage-distribution-of-linux-applications/1553 On IRC #ipfs, someone pointed out:
Similar: ipfs/kubo#3604 Potential AppImage workflow
Option 2: Hook libp2p into zsync2Viable? Pros? Cons? Option 3: datTo be written Written in nodejs, which means Pros and consFrom https://docs.datproject.org/faq:
For investigationDeduplication between different packagesWouldn't it be cool if e.g., all AppImages containing Qt could deduplicate data? Check ipfs/notes#84 where it talks about deduplication. AppImageHub dataCoud probably be decentralilzed in a database as well, e.g., using https://github.com/orbitdb/orbit-db/blob/master/API.md |
@probonopd the chunking we talked about in irc could be pretty useful here. As a quick hack I would be interested to see what sort of deduplication you get across different images using rabin fingerprinting: If you add two different files with the rabin fingerprinting, you could do |
@whyrusleeping: |
@KurtPfeifle do you have a list of images somewhere I could download and try this out on? |
A list of crowd-sourced AppImages and their respective download locations is here: |
Thanks for explaining it, great job. What's concerning is this part: "The updater downloads the zsync meta file from HTTP server" So there's an HTTP server involved, that you depend upon for this process. Which also means that you'll depend on DNS, and that you'll have an address/url hard-coded somewhere ? or am i wrong
The user doesn't need to be connected. Agreed this would have been a deal breaker !
Yes i was referring to AppImageHub, and how you could build a decentralized hub, but this was just to explain the kind of things you could easily build using pubsub. The distribution of images is the best part: AppImage creators then don't need to depend upon centralized services (cloud providers for example) to store the images, they're content-addressed, easily replicated, and can be retrieved either directly from IPFS or through any public IPFS HTTP gateway. Creators will just reference the CIDs. With torrent you also have easy replication, but i don't see how you ensure replication of the zsync meta files ? Would users require a bittorrent client to download the AppImage ? I'm not advocating any solution over another, just sharing ideas, it's an interesting topic. |
Yep. The update information is embedded into the AppImage(hard-coded), See https://github.com/AppImage/AppImageSpec/blob/master/draft.md#update-information
No they will not require a Bittorrent client, They just need to use AppImage Updater which uses libtorrent-rasterbar under the hood. But it is worthy to note that the torrent client is only used to download the remaining blocks. The zsync algo is used to construct a new file from the old version. So AppImage Update = Zsync + BitTorrent
Well I would like to get into IPFS too. Maybe I will try researching on it more to make a Zsync + IPFS combination. So users get to decide which one to use. |
Ok just saw the update information section in the specs. So in the update information field you put an http link to a .zsync metadata file ? This is a good system because HTTP uses location-addressing and the URL will not change. Only downside is that these links are not allowed to break (or you can't ujpdate/sync). You could have .zsync files stored in IPFS but it wouldn't work to store the CIDs in the update information, since once the zsync metadata changes, the associated CID will change (and using IPNS would be way too fragile). zsync looks awesome and i'm sure it's lightweight. |
Yes. It's very lightweight. |
Now regarding security, let's take one of the worst-case scenarios. Someone publishes an AppImage, the update information in the image contains an http/https address to a .zsync file, let's say zsync|https://banana.org/software/Banana-latest-x86_64.AppImage.zsync. Somehow the banana.org server gets hacked (or someone gets control of the domain and changes the IPs in the DNS) and the hacker replaces the .zsync metadata file with a carefully crafted one which will make the user who updates the software, download/sync an "infected" image via zsync. Is there anything in the updating process, or in the way zsync works, that can prevent such an attack ? If not then that's something to think about. |
Looks like some of the larger applications that are already using AppImage are also already using FossTorrents: https://twitter.com/FossTorrents/status/1320121510389075968 Maybe this could be integrated. |
@pinnaculum why is that "something to think about"? This "remote server gets hacked" scenario is omnipresent. What if the initial AppImage you download was already altered by an attacker? I don't see what's "to be thought about" there. The vast majority of all AppImages are located next to the Not to mention, if you sign the AppImage, AppImageUpdate will require any update to be signed properly with the same key as the existing one. I don't see the big threat you seem to see there... this reminds me a lot about that weird "let's create digests for our downloads, which we include in the Any form of "distributed updates" has rather serious privacy issues. If all your AppImages are shared through BitTorrent, IPFS or whatever, an attacker can easily guess what applications you have and tailor attacks on you. I don't see the issue with having centralized update servers. Very often, it's cheap people who refuse to set up hosting themselves (because it costs money or whatever) who vouch for "distributed updates" because "they can't be taken down" or whatever. Well, self-hosted files are also not "taken down" by some large company. I would never enable any such mechanism, and I don't see how they would help the world. They add complexity, they take users' privacy at risk, they open new attack vectors, they don't work with metered bandwidth and they also require infrastructure and maintenance. |
@pinnaculum If a server ever gets hacked then that's the end of that organization. What happens if Github gets hacked, everyone is screwed. See Firefox Monitor. Some of the top sites are already been hacked and some passwords and personal info has been exposed to the hackers.
There is GPG Checks. Which compares the signature in the old AppImage and the new one. But if the Server itself is hacked then the newly released AppImages can be crafted to do anything. But you can run AppImages in Firejail.
@TheAssassin Yes it does have but it is virtually impossible to share data between peers without knowing IP address of the peers. You can also use VPN or TOR with BT. EDIT : So you can guess what AppImage I'm downloading now through BitTorrent? How did you associate a specific IP to my identity?? If I used a VPN or TOR what good does IP reveal of my identity?
Even with Hetzner you get 20 TB bandwidth. And there is time required to maintain the server. Hetzner does take down your server without notice if they think something is bad. See https://www.reddit.com/r/hetzner/comments/j8jid3/hetzner_poor_service/ With AWS you can get a bill of $2000 in just one month if you screw something up. Or if your API key is somehow exposed.
You can limit bandwidth usage in BitTorrent. I don't know about IPFS. I don't see any storage usage with BitTorrent other than the space required to store the file you are downloading.
Any P2P solution used will be asked for permission by the user. And Will be disabled by default.
@TheAssassin It's your opinion and it's a free world. You can choose whatever you want and that's the good thing in Free Software. Everyone is different. I not saying BT/IPFS is perfect but nothing is perfect, even HTTP.
There is no complexity in the part of users. If you fetch from a self hosted server or Github, does it not take user's privacy at risk? I mean if the organization or the user hosting the server can sell the data. You don't want to use P2P in metered bandwidth and it is recommended IMO. What infrastructure and maintenance are you talking about? With BT it's just one file to share. Or a magnet link. |
@pinnaculum I tried your IPFS browser -> https://github.com/pinnaculum/galacteek and it seems that IPFS needs a lot of time to start. IPFS is a FS which is a overkill for one file but might be a good choice for pmOS(postmarketOS). But I like that you have added a seed option for the AppImage itself. IPFS does seem to have more features than BT. |
This is interesting, Because the zsync meta file and everything is just included in the torrent file. So a new update mechanism with just a magnet link might be possible. Imagine embedding just the torrent magnet link. Everything is decentralized then. No need to ping Github which logs everything. But the only downside is that, The torrent should be alive.(i.e Should have decent seeders for the magnet link to work) |
As I pointed out before, AppImageUpdate validates the signature, then compares the keys. And it's entirely optional, it's not the the norm.
Firejail doesn't really add a lot of value. The default profile is quite permissive. What would really be required is app-specific profiles. I proposed a concept how this could be implemented without having to trust the AppImage you've downloaded, similar to what Android provides. This, however, requires some integration in the system, which currently only AppImageLauncher can provide. TheAssassin/AppImageLauncher#99 (comment)
So? Then you allow anybody on the planet to track everyone accessing that torrent, both uploaders and downloaders. And you ignore the fact that your model still relies on web seeds, i.e., HTTP servers. You can also just self-host your AppImages on your servers, and disable logging or be GDPR compliant. On my servers, all logs are pseudonymized (I zero out some bytes of every IP address; I can't disable logs entirely, otherwise I couldn't handle DoS attacks any more other than banning all traffic).
Don't constantly limit the discussion to GitHub. I've talked about self-hosting as well. That argument is pretty hypocritical, as we have the discussion on GitHub and we all apparently trust them to some extent. If it were my choice, we'd host all AppImage software (the build artifacts) on my server for users to download. But @probonopd doesn't want that, claiming GitHub was so much better...
First, that would be illegal without consent, and at least they have a privacy policy I can inspect. Torrents don't have such facilities. At least you know who you can sue if you notice violations. Second, only they create logs. In a distributed world, everyone can just track all accesses to a resource. The danger is not the logging, but the attack vectors which are opened subsequently. Show me the apps you use, and I'll be able to check for exploits and infect your computer with malware. Especially with older AppImages (whose libraries are never updated, of course), there's surely plenty of bugs that could be exploited. My argument is that this information should not be leaked. The average user does not know about these informations. Though, you enforce them sharing those information with the world. And if you don't make them upload (e.g., while the computer is idle), then you can just continue to use some HTTP server, BitTorrent just adds unnecessary complexity on top. You also didn't explain how you'd handle metered connections. You can't easily recognize them and stop uploading content in those cases? Metered connections are omnipresent. There's 4G routers in households in rural areas for instance. Some people might just connect via a smartphone using tethering. People will likely not notice that their bandwidth is consumed by some distributed stuff, which you don't even seem to be willing to make transparent to the user (like that'll be "too complicated" and will overwhelm the users or whatever).
Really? The entire thread reads like that was the holy grail solution, and it could/should be set up without any alternatives as fallback. How would you ensure the fallback anyway? In the end, it's the application authors who would have to maintain two systems then. Are you really going to provide all pros and especially the cons in some dialog asking the user to enable such an option? I highly doubt it, looking at the systems built previously in the AppImage context. It'll probably be just "do you want to enable BitTorrent", without any additional information. You're talking about non-tech-savvy users here, who tend to just click "yes" on every dialog without understanding the consequences. I'm sure you know more than one relative who doesn't read messages or really understand what they're doing, but just replays behavioral patterns without thinking about what they do...
Do I need to know your identity? No. I just need to understand how I can intrude your computer. Once in, I can read all your personal data easily. And using a VPN or Tor only protects you to small attackers. Most VPN providers have extensive logs (there's been many examples, and even if they claim they don't, you can't prove it, you can only hope so). Only Tor can protect you really well, but Tor doesn't want P2P traffic in their network. It just slows down people who rely on it to get in touch with the rest of the world. Using Tor to mitigate the design flaws of your poor, hardly thought out P2P scheme is just abuse.
First of all, I have no traffic limit at all on my server, but it costs a lot more than yours. Even 20 TB are pretty much for the few Euros you pay. (I mean, you can't expect unlimited traffic for those prices, it all costs money; GitHub etc. surely have costs as well). That Reddit link actually shows the opposite of what you wanted to prove. It shows it was the user's own fault, and they were able to recover it. And there's even statements showing happy customers... And: everyone hosting with AWS must've never made any comparison to other hosters. They're just very much overpriced. That's not an argument, at all.
There's the web seed that needs to be maintained as well, potentially also trackers (as they really speed things up, DHT alone is really slow). With IPFS, there's servers to be set up as well unless you want to just rely on your users to provide all the upload bandwidth (which you probably shouldn't). Then there's the full download you need to offer as well, for people who want to initially download the files. It's not like with BT/IPFS, you'd have absolutely no infrastructure. In fact, you likely just rely on other people's systems who keep everything running. |
Agreed, this scenario is not specific to the usecase of zsync. I suppose you just have to trust the update you're getting. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
We can use trackers from archive.org and the web seeds can be hosted in Github or really cheap hosting with low bandwidth. There is also cheap seed boxes which can be easy to maintain and cheaper than a server. Then you don't really need Github at all. It just a magnet link away.
So you can intrude my computer with just knowing what software I use?? There is really very very small chance if you could do this. Well it is only possible with users who configured their router or computer improperly. IPs are dynamic anyways, So you have to find a vulnerability in a very limited time. EDIT: There are static IPs too. I recommend not using BT with static IP. @TheAssassin, you suggest that we never distribute with P2P? I mean it is virtually impossible to share data without knowing IPs of peers and the IPs has to be made public. |
See, now that's yet again infrastructure. It's not infrastructure-less. It's "not just a magnet link away", you need to upload several files to the right locations with static URLs and only then can craft your magnet URL. And using other people's infrastructure to power your updates is also not very nice. Self-hosting should be preferred.
We've seen such an attack ourselves recently in appimaged and libappimage. Detailed analysis will follow soon-ish. The attacker just had to make you download something that looked like an MP3 file, but in fact was an AppImage which triggered appimaged. Upon integration, due to a bug, it could overwrite files in the system. The author crafted their attack by overwriting e.g., a system's file manager's desktop file and icon, waiting for a user to click it, et voilà, you've got malware running. But there's also other ways to get this malicious software to run on the system. Such bugs are not new at all. For example, Wireshark doesn't recommend you to run it on a production system, as they've got a history of bugs which allowed attackers to take over the system. The code base is large and flaws are to be expected. They recommend themselves to use e.g., So yeah, knowing which versions of which AppImages you have gives me a lot of context information for free which I usually would not have. Another example where such information is useful is web application security. It's much easier to search for known exploits if I know the version of a web application which is running somewhere. Many applications therefore don't publish the current version a server is running on the index page any more. Minimizing the amount of meta information is key in making an attacker's life harder. After all, even encryption is just about making it hard for an attacker to get the plaintext. It's not impossible, just very, very difficult.
As just pointed out, the idea is not to intrude your network by your IP. And I'm also not describing a mass attack. I'm describing an attack that would be tailored to a small amount of users. The point is, why even publish something as sensitive as the list of applications? By the way, getting your IP isn't that hard. If I want to attack you, I'd do what phishing has always done: try to get you visit some website. I have by the way not declined there might be advantages, too. I just see security and privacy issues which I consider unacceptable. |
The AppImage creator chooses the distribution mechanism and what it implies in terms of "infrastructure" (which in the case of zsync is almost nothing let's be honest). Since the "distributor" has that choice there just needs to be good documentation on what is needed to maintain reliable distribution of the AppImage. I don't see any problems here .. HTTP works for you ? go ahead. Wanna try BT ? you have that choice
That's a never-ending debate and most people don't have the means to do pure self-hosting they'll just use github or whatever comes next. |
Yeah. I think it's the choice of the user and the distributor. In a local network Decentralized is more helpful and very secure. |
@TheAssassin I need to make a statement. First of all you need to associate a IP to an identity in very little time to know if a person uses a specific software, So you saying, When using BT you publish the list software you use to the world is just nonsense. You say you don't need the identity because your attacks will be IP based, (i.e) You only need to know if a IP uses a software which has vulnerability such that it could be hacked externally with just the IP address. Can you please give a example that such software exists in the first place?? I mean a software which has a vulnerability such that a person can be hacked externally with just IP must not be used at all with a normal computer(maybe a virtual one). In your example you demonstrate the vulnerability in appimaged. Let's say you know IP 10.0.0.2 is downloading a vulnerable version of appimaged, Now how can you convince someone at 10.0.0.2 that they need to download the malicious MP3 file with social engineering or some other means, How would you send this software to someone at IP 10.0.0.2 in short time before the IP changes. Now after a minute or two the one with IP 10.0.0.2 is going to change. Also I proposed the use of VPN because it's cheaper and better than Github tracking you. You said that VPN makes logs and tracks but you contradict yourself.
Why can't you sue VPN providers because VPN providers also have privacy policy that you can inspect. Even when using Github, I advice everyone to use VPN or TOR if they care about privacy. And if you say there is some old version of the library exists or software exists in AppImage that can enable a hacker to intrude with just knowing your external IP then I think all the big companies already have a backdoor(like with Windows) to all users who uses Linux not just AppImages. Because LTS version of Ubuntu has old libraries and software, Some don't update often |
Even if you know the IP and timestamp, to know the actual person you need the help of the ISP, AFAIK that kind of power is only with the government. In some countries they explicitly block BT bandwidth like in the US(Only some ISP do this). But BT has a lot of ways to hide the signature. VPN can solve all this problem but a government can quite literally do anything to you. |
I never said that, and I don't want to repeat myself. It's described in the previous comments. Your "example" is completely unrelated and describes some other attack that I did not refer to. I never said you need the exact identity, you just need to be able to match IP addresses. Anyway, this is off topic, and I don't think you understand what I mean... Your description is flawed anyway. The IP address of a person regularly doesn't change that often. Not even with Tor (the exit node doesn't change to protect your anonymity, actually). External IPv6 addresses are often static nowadays for single computers even, as routers don't do NAT any more. And due to the lack of new IPv4 addresses, many providers now use "DS lite" (dual stack lite), where the NAT gateway is shared by many users and remains the same for at least one day (but, with many providers around here, it could be weeks). Also, the more special the resource you're trying to access (i.e., the less people access it), the more easy it is to recognize and match related requests. There's a reason there's Tor browser, which uses a predefined window size in order to make sure all users have one out of 3-4 fingerprints. Deanonymizing Tor users isn't that hard, unless they really just use larger websites. The larger the sea is you swim in, the harder it is to find you. Your "it's safe in LAN" argument is invalid anyway. Is a public WiFi a LAN? Unless you put in the same effort like e.g., Android (which can, to some extent, differentiate between private and public networks), you can't easily differentiate between such networks. The point is, all your models rely on users sharing the AppImages they have on their computer, all the time. Otherwise, you don't have enough peers to download from. You cannot do this selectively really well, or you end up with a highly complex HTTP(S) model, as you fall back to the web seed anyway. The chance for this updating scheme being really all that useful is quite low. Oh, and please stop narrowing the discussion to updates only. This issue is titled "Investigate peer-to-peer AppImage distribution". Integration in AppImageUpdate is just a secondary goal. All models proposed originally wanted to share all AppImages through e.g., appimaged, all the time. Peer-to-peer over VPN adds a dependency on one central service (VPN provider), who might even disallow it. And using Tor is abusive. And having to use a third-party service to somewhat fix/secure your model shows to me, at least, that it's not mature enough. |
Okay let's agree that P2P is still not mature and it compromises privacy and security to some extent. I've come to the conclusion that for now, We need to investigate this more. @TheAssassin But one thing that we gain from using P2P is reducing the load on the central server(balancing it when traffic is high). Think about Github Rate Limits on range requests that you solved with reducing the no. of requests. |
Indeed, I never declined the advantages. And I'm not saying P2P is insecure by definition. But one has to raise awareness that it indeed has serious privacy implications, which average users won't necessarily see. It's always better to reduce the amount of information you share to a minimum. Just look at the manic ads industry with their fingerprinting and the crazy amount of information they use to fingerprint browsers. It's insane. Perhaps we can implement such a feature, but just dumping everything into a P2P service isn't going to lead to success. For selected AppImages it might make sense (although I think that just self-hosting is still easier and better). Nevertheless, I can really recommend the SHA2017 talk I linked above. It's really insightful. Edit: Oh, I totally forgot this link: https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea |
I will definitely take look at those. |
AppImage is all about easy and secure software distribution for Linux right from the original upstream application author directly to the end user, without any intermediaries such as Linux distributions. It also supports block-based delta binary updartes using AppImageUpdate, allowing for AppImages that can "update themselves" by using information embedded into them (like Sparkle Framework for macOS). Consistent with this vision, we would like to enable peer-to-peer based software distribution, so that we would not need central hosting (such as GitHub Releases, etc.) while ideally maintaining some notion of a "web of trust" in which it is clear who is the original author of the software, and that the AppImage is distributed in the way the original author wants it to be distributed.
In this ticket, let's collect and discuss various peer-to-peer approaches, that could ideally be woven into the AppImageUpdate system as well.
"IPFS is the Distributed Web. A peer-to-peer hypermedia protocol to make the web faster, safer, and more open." https://ipfs.io
Should we use it to distribute AppImages?
The text was updated successfully, but these errors were encountered: