When creating an app, when you create data within the “app’s own container”, the basic idea is that that should be private to the user and the application, unless the user grants permissions to a new app.
I’m concerned that the current security methodology for this is essentially “any app which the user downloads and passes it’s ID as net.foo.bar when authenticating”.
I’m envisioning a security hole where a valid executable is downloaded by a user, gives a fraudulent application ID and the user sees that it already has permission to the net.foo.bar container and re-approves access.
It would be nice if it was possible to sign applications when creating them to verify that the application has come from the actual vendor, vendor IDs could be registered within the SAFE Network in the same way that publicNames are.
If a user self-compiles an app, or for privacy reasons a vendor doesn’t use signing, the app could show the user a warning when authenticating beneath the “authorise” button which says something similar to “This application is unsigned” or “This application is signed by net.foo.bar”.
This has been discussed a few times before, e.g. this thread is very interesting to read: Apps disguising themselves as other apps, thus we need to eventually resume this discussion and see when we can implement any of the proposed solutions.
I eventually see Safe Network as being somewhat of an extension to SafeOS. I recall reading
thoughts from dirvine about this along similar aims and there are a few threads already in the forum starting a few years ago about what a SafeOS might look like. Anyhow, the authenticator seems like the perfect kernel or access point for a more expansive package management system or SafeStore for SafeProducts. It would seem logical to fork a package manager from an existing well established open source project and find a way to integrate the authenticator and network protocols. Usually, the prestige of a linux distro is based around how well their package repository is vetted, so naturally I think SAFE needs to be safe here too. I suppose it all comes down to trust but verify in the end. The MaidSafe seal of approval would go along way, although there may be other more creative ways to do this in a distributed fashion. I am a shill for Gentoo and their Portage system because of it’s documentation, support community, flexibility, and power user features. The ‘Hardened Gentoo’ project has a lot of top notch security gurus, and ChromeOS from ggl is based on Gentoo if that helps lend credence. Anyone who is interested in having us proclaim the start of a SafeOS distro here and now (based on Gentoo) should pm me.
Edit: SafeOS is a great name and preferred. In case it is already taken, SAFE + Gentoo = Safetoo might be a fun moniker.
I’d like to hear @dirvine or @bochaco’s thoughts on this, I’m wary about starting a huge OS project before the core technologies of the network are finished.
I was thinking we could at least get the ball rolling. Maybe something could be ready by the end of beta. And it’s not so much an entire OS, but a special flavor of linux tailored to work well with SAFE. Anyone who wants to try SAFE but is uncertain could just spin up a VM with SafeOS and be good to go.
Yes, I’ve looked into Qubes a little bit. It has it’s positives and negatives.
We could evaluate it in detail and fork it to be specialized for SAFE if
there is a concensus. It’s probably the only other one that I know of
that would be worth considering other than Gentoo. Maybe there are
others. As I mentioned, shilling for Gentoo is just due to really positive
experiences with it. It has some quirks too like anything else, but
allows for ultimate customization to create a rather simple,
lightweight and clean UI. Being source or binary based it also makes
adapting the OS to work on ARM or other architecture types
much easier.
Sounds like you’re looking for a package repository / app store. Haven’t seen anything to suggest it’s been implemented for SafeNet, but the principles are pretty well established. That would make a nice addition to the toolset.
The deeper question you started with amounts to “how can I build a system that protects people who install random Internet junk?” If you solve that one, I hope you’ll give me an autograph.
Yeah, that’s essentially it. Unfortunately, this entirely falls to the Maidsafe team as there is little an external party could do with regards to this.
Well, it’s less protecting them from installing random junk and more protecting them from installing random junk masquerading as a legitimate software
The toolset already exists for saying “This is, cryptographically, who I am.”, I just want to extend that to “This is, cryptographically, who I am, and I say, cryptographically, that this thing came from me.”
Perhaps this could be built in to a download mechanism of the safenetwork itself, if I publish a piece of software and upload it to the SAFE Network with a TYPE_TAG corresponding to an application , then on download it could say This package will replace package X, the vendor for both packages is Y, where Y can correspond to a public name. If the vendors don’t match, it would say WARNING: This package will replace package X, the vendor for the original package is Y but the vendor for the new package is Z. Are you sure you wish to continue?
The packages could be stored in a pre-chosen directory as packageName-semanticVersion, or SafeCMS-1.5.3.
Thanks for bringing up Genode. I missed that thread when I skimmed some forum search results. The whole approach to compartmentalization, micro-kernels like the age old gnu hurd, and distributed authority within a single OS is an interesting topic and area of research. I still think there is some value to starting with a stripped down minimalist and/or hardened linux kernel and building a simple safenetwork-centric distribution. At the very least, it is a good development strategy because if gives a performance, security, and UI baseline by which to judge the micro-kernel approach, and would provide a relatively easy way of managing @Shane’s concerns/ideas while also being very familiar to most users and devs.
EDIT: I should have highlighted this from the microkernel.info link.
“Redox -A Unix-like operating system written in Rust, aiming to bring the innovations of Rust to a modern microkernel and full set of applications. Redox isn’t afraid of dropping the bad parts of POSIX, while preserving modest Linux API compatibility”
Going beyond:
As I’m sure others do, I too can envision a true SafeOS that uses encryption and consensus strategies that perfectly mirror what is going on in the SAFE Network at large (maybe even using some of the same code on local unix sockets). That way you end up with a multi-scale system that is self similar, much like a fractal or hologram, but operates at different size scales from the Safe ‘kernel’ => Safe userland => Home Safe Network => Neighborhood Safe Network => Planetary Safe Network, and beyond. (Eventually, maybe you even model the underlying hardware using same strategies…)
After datachains are implemented MaidSafe will have everything from the home network on up taken care of, and maybe more insights from the development of the network computation modules will help give more clarity to the idea of a true SafeOS at the individual node level and smaller scales. Until that stage I think it’s ok to encapsulate the Safe kernel, userland, package management portions, and hardware compatibility requirements with a stable well known linux based solution. This is especially true if you want to have something that works on the broadest range of hardware types; and resource the greatest amount of open source tools, documentation, and users. It’s a start.