Received: from nc-smtp2.sdv.fr (nc-smtp2.sdv.fr [212.95.69.92]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 2554E782C8C for <~alpine/users@lists.alpinelinux.org>; Mon, 19 Jul 2021 11:15:44 +0000 (UTC) Received: from skarnet.org (140.156.124.78.rev.sfr.net [78.124.156.140]) by nc-smtp2.sdv.fr (Postfix) with SMTP id 7105DA05AF for <~alpine/users@lists.alpinelinux.org>; Mon, 19 Jul 2021 13:15:42 +0200 (CEST) Received: (qmail 2798 invoked from network); 19 Jul 2021 13:16:32 +0200 Received: from elzian.internal.skarnet.org. (HELO ?192.168.0.2?) () by sinay.internal.skarnet.org. with SMTP; 19 Jul 2021 13:16:32 +0200 From: "Laurent Bercot" To: "Ariadne Conill" , Wolf Subject: Re: Firejail Cc: ml-devel@keemail.me, ~alpine/users@lists.alpinelinux.org Date: Mon, 19 Jul 2021 11:15:43 +0000 Message-Id: In-Reply-To: References: <87c4c1c0-f20-3f9-2a6-a85c9a4b2133@dereferenced.org> <20210719101703.yqqpbtcsgc2cqkpo@mail.wolfsden.cz> Reply-To: "Laurent Bercot" User-Agent: eM_Client/8.2.1473.0 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvtddrfedtgdefiecutefuodetggdotffvucfrrhhofhhilhgvmecupfgfoffgtffkveetuefngfdpqfgfvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvufffkfgjfhhrfgggtgfgsehtqhertddtreejnecuhfhrohhmpedfnfgruhhrvghnthcuuegvrhgtohhtfdcuoehskhgrqdguvghvvghlsehskhgrrhhnvghtrdhorhhgqeenucggtffrrghtthgvrhhnpeekueetleefffdtvdegieeikeeluefglefgteeijedufedthefhfeegffetudehteenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphhouhht >The basic gist of it is that we weren't really thrilled about having a SUI= D program with several CVEs that describes itself as a security tool in the = repo. > >Although the CVEs have been mitigated, they were caused by lack of experie= nce writing C code, which means there are likely many more CVEs in firejail = just waiting to be discovered. Given that it's SUID and has to be SUID in = order to do its thing (due to the way its implemented), I hope you can und= erstand the skepticism. Ariadne is diplomatically understating the severity of the situation. Since I do not represent Alpine in any capacity, I do not have to take the same precautions. The reality is that firejail is a catastrophe that has already happened and is waiting to happen again. Its design and code are so terrible that any semi-competent QA team would veto it on the first read; the fact=20 that it advertises itself as a "security tool" would be laughable if it=20 weren't so tragic for the users that have been scammed by it. The only reason why firejail has made it into distributions is that=20 free software painfully lacks manpower for peer review. This is not an indictment of distribution maintainers, who are underpaid and overworked (and code review, as far as maintainer tasks go, is one of the most thankless ones). This is the unfortunate reality - there is basically no quality assurance for random free software, so FOSS is like a box of chocolates: you never know what you're going to get. Most of the time, people who invest energy into coding FOSS are good at it, so the=20 software is at least passable even with paltry best-effort QA; unfortunately, firejail falls into the other category. If users like firejail for its simple frontend, it means that there's a need for a similar tool with a similar frontend but better implementation. If it doesn't exist yet, add it to the already huge list of "software that needs to be written". -- Laurent