Page 18 of 26 FirstFirst ... 81314151617181920212223 ... LastLast
Results 341 to 360 of 520
Like Tree1Likes
  1. #341  
    Quote Originally Posted by Audemars02 View Post
    While I think we all (or at least I) totally appreciate all your work to make the Pre experience the best and safest experience possible, jason already allows .patch installations via webOS Quick Install... so how is what he is suggesting for Internalz any different? If you think that this is really a big issue, wouldn't we need Jason to remove this functionality from webOS QI...not that I am suggesting that, just playing devil's advocate.
    Well, I have similar reservations about that functionality too (and have told these reservations about WebOS Quick Install and other reservations about Internalz to Jason in the past - my advice about such things is the reason why Internalz only writes to /media/internal and /var).

    In addition, I have also advised Jason since version 1.something of WebOS Quick Install that he should allow the user the option of viewing the script that is going to be run as root on the Pre, but apparently either other features have been more important than protecting the security of the user's Pre, or he doesn't share my viewpoint on the importance of transparency of root execution scripts as an important deterrent layer in maintaining the security of the Pre.

    I seriously think that the authors of powerful tools need to also consider the responsibility of how those powerful tools will be used by end-users who will click any link and install any package which has a favourable description without checking the pedigree or origin of that package or patch. The Pre has no anti-virus or anti-malware safety net.

    -- Rod
    Last edited by rwhitby; 10/24/2009 at 10:33 PM.
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  2.    #342  
    Quote Originally Posted by rwhitby View Post
    The layers of defence (and yes, they are not perfect) that we have at the moment is that all patches added to Preware are reviewed for security by people that have a long and reasonably trusted association with the Pre homebrew community, and all installations of patches via Preware give the option for the user to view the script which installs the patch, and all patch files are available for public review in a public git repository. We consider this to be enough layers of review and deterrent to minimize the risk to an acceptable level.
    Unfortunately, this is not acceptable for some people, as not everyone wants their patches forced to opensource MIT status. Myself, I don't care, but I have gotten messages from multiple people about it.

    Quote Originally Posted by rwhitby View Post
    Well, I have similar reservations about that functionality too (and have told these reservations about WebOS Quick Install and other reservations about Internalz to Jason in the past - my advice about such things is the reason why Internalz only writes to /media/internal and /var).
    To be clear, you weren't the sole reason. Originally, I just didn't want to have to do a remount on each file operation. You just helped solidify my reasoning

    Quote Originally Posted by rwhitby View Post
    In addition, I have also advised Jason since version 1.something of WebOS Quick Install that he should allow the user the option of viewing the script that is going to be run as root on the Pre, but apparently either other features have been more important than protecting the security of the user's Pre, or he doesn't share my viewpoint on the importance of transparency of root execution scripts as an important deterrent layer in maintaining the security of the Pre.
    I have it ready, jusy kept putting it to the side as I personally don't consider it a high priority. If anybody could have 3rd party apps call WebOSQuickInstall for installation as easy as ipkg service is, then, yea, it'd be a bit more of a high priority. But as I see it, it takes more than typing a service request in plain text to do that kind of thing.

    So with that in mind I had to prioritize development. Personally, I believe the average user would not understand what a postinst/prerm script is and just click "yes" to continue the installation. In essence, just hurting the user experience, and possibly causing app issues if they hit "no".

    With all that said, now that I've gotten the majority of the features I've wanted implemented, I'll probably come back to this, looking for a more user-friendly solution.

    Quote Originally Posted by rwhitby View Post
    I seriously think that the authors of powerful tools need to also consider the responsibility of how those powerful tools will be used by end-users who will click any link and install any package which has a favourable description without checking the pedigree or origin of that package or patch. The Pre has no anti-virus or anti-malware safety net.
    Let's be completely honest here. It's a patch. It's not a shell script or binary, as could easily be included in an ipk. Yea, ipks have a confirmation screen as mentioned, though it's just as easy for a malware site, as with your earlier example, to say "download this ipk, and hit yes when it asks to run the installation script".

    And with .patch files, only plain text is changed (and backed up in the process). A simple patch removal would undo anything patched. And don't forget nothing is concealed. You can literally open the .patch and see what it changes.


    And on a more personal note, over the past few months, I have followed WebOS-Internals directions and formats. And by not I considered you a friend. I really don't appreciate you publicly criticizing my software and implying I don't value security and don't take responsibility for my software. If you had concerns, it would've been much better to talk to me over IM
    Last edited by Jason Robitaille; 10/24/2009 at 11:27 PM.
  3. #343  
    Quote Originally Posted by Jason Robitaille View Post
    Unfortunately, this is not acceptable for some people, as not everyone wants their patches forced to opensource MIT status. Myself, I don't care, but I have gotten messages from multiple people about it.
    Yep, and that is their right to choose whatever license they prefer. Unfortunately, closed source licenses don't provide the layer of security review that (in my opinion) is an important part of the defence against malware.

    I think some some of this concern is caused by people not realising that the MIT open source license requires that the identification of the original patch author (and the authors of any modifications or improvements to the patch) must never be removed from the code. So credit for those who do the work is never removed, even as others improve or modify the patch.

    Let's be completely honest here. It's a patch. It's not a shell script or binary, as could easily be included in an ipk. Yea, ipks have a confirmation screen as mentioned, though it's just as easy for a malware site, as with your earlier example, to say "download this ipk, and hit yes when it asks to run the installation script".
    That's exactly the reason why Preware does not allow installation of ipkgs from random internet sites. Having a small set of trusted repositories is another important layer of defence.

    Many people have asked us to add a fileCoaster-like feature of being able to install an ipkg downloaded from a user-supplied URL, and much as we would like to make things convenient for the user we have had to refuse this request based on the security model we are relying upon.

    And on a more personal note, over the past few months, I have followed WebOS-Internals directions and formats. And by not I considered you a friend. I really don't appreciate you publicly criticizing my software and implying I don't value security and don't take responsibility for my software. If you had concerns, it would've been much better to talk to me over IM
    Don't get me wrong - I think your tools and software are a great asset to the homebrew community, and I use them all the time. These things are my personal opinion about how to protect homebrew users from malware, not some kind of absolute truth (although I do believe in them strongly). They are stated in the hope of the homebrew community discussing these security issues in the open so that everyone can share their opinion - these discussions about security need to be in the open, not behind closed doors.

    My apologies if you have taken any of it as a personal criticism. It was not intended as such. There are many factors that go into the decisions about what features to include in a tool, and security is just one of them. Convenience is another one. Different people have different opinions on the relative priority of those two things.

    These things are also evolving. What is not a serious threat today may be tomorrow. Or it may not. It may well be the right thing to prefer convenience over security at this stage of homebrew evolution. I personally think it's never too early ...

    -- Rod
    Last edited by rwhitby; 10/25/2009 at 01:37 AM.
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  4. #344  
    you guys are awesome, never in my adult life have I seen community of people, online or otherwise, discuss their issues w/one another in such a respectable and civilized manner w/o resorting to juvinile name calling and one-upmanship quips. As a newcomer to....well, any of this (software development, testing, discussion) its been the discussions like this that most serve to educate others in the ethics of development. So thank you both for your differing, yet equally amazing work, and for making known your personal and professional opinions concerning it.

    btw, does it show that i'm the middle child?
  5. #345  
    what is the command line and how do i enter the code in it?
  6. ohseedee's Avatar
    Posts
    18 Posts
    Global Posts
    54 Global Posts
    #346  
    I had been using internalz for awhile, but recently it stopped working. I tried doing a uninstall/reinstall, however I am not able to uninstall File Manager with PreWare. I keep getting a failure error during the uninstall process. I have terminal installed, so I was wondering what is there a command I can run in Terminal to do an uninstall? Thanks.
  7. #347  
    Quote Originally Posted by ohseedee View Post
    I had been using internalz for awhile, but recently it stopped working. I tried doing a uninstall/reinstall, however I am not able to uninstall File Manager with PreWare. I keep getting a failure error during the uninstall process. I have terminal installed, so I was wondering what is there a command I can run in Terminal to do an uninstall? Thanks.
    It would help if you first stated what the error you are getting is ...

    You should find it in the IPKG Log window.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  8. ohseedee's Avatar
    Posts
    18 Posts
    Global Posts
    54 Global Posts
    #348  
    Quote Originally Posted by rwhitby View Post
    It would help if you first stated what the error you are getting is ...

    You should find it in the IPKG Log window.

    -- Rod
    "Lock mount: mounting/dev/mapper/store-root on / failed: Device or resource busy"
    "Failed ErrorGenericMethodException: Failure during 'remount' operation"

    Thanks.
  9. #349  
    Quote Originally Posted by ohseedee View Post
    "Lock mount: mounting/dev/mapper/store-root on / failed: Device or resource busy"
    "Failed ErrorGenericMethodException: Failure during 'remount' operation"
    Thank you. This indicates that there is something very different on your Pre from other people, cause this particular error is extremely rare (however it has been seen before, but the cause has not been determined).

    What is happening is that the "rootfs_open -w" call (which makes the root filesystem writeable so that some symbolic links that the File Manager Service installs can be removed again) is failing at the Linux operating system level. We have never yet been able to determine a reason for that failure. Note that call is exercised every time an advanced homebrew application, patch, or theme is installed or uninstalled, so it's not like it's something for which failing is commonplace.

    One work-around that we have found is to reboot your Pre, do not do anything else while waiting for your network connection to become available, and then run Preware and immediately try the uninstall. If this fails, and you are able to repeat the failure to uninstall, please contact me again so we can diagnose further. If it does succeed, please post here so that others know that this work-around has been successful for you.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  10. ohseedee's Avatar
    Posts
    18 Posts
    Global Posts
    54 Global Posts
    #350  
    Quote Originally Posted by rwhitby View Post
    Thank you. This indicates that there is something very different on your Pre from other people, cause this particular error is extremely rare (however it has been seen before, but the cause has not been determined).

    What is happening is that the "rootfs_open -w" call (which makes the root filesystem writeable so that some symbolic links that the File Manager Service installs can be removed again) is failing at the Linux operating system level. We have never yet been able to determine a reason for that failure. Note that call is exercised every time an advanced homebrew application, patch, or theme is installed or uninstalled, so it's not like it's something for which failing is commonplace.

    One work-around that we have found is to reboot your Pre, do not do anything else while waiting for your network connection to become available, and then run Preware and immediately try the uninstall. If this fails, and you are able to repeat the failure to uninstall, please contact me again so we can diagnose further. If it does succeed, please post here so that others know that this work-around has been successful for you.

    -- Rod
    Your approach worked. I was able to uninstall successfully by doing it immediately after a reboot. Thanks for the help!
  11. #351  
    Quote Originally Posted by ohseedee View Post
    Your approach worked. I was able to uninstall successfully by doing it immediately after a reboot. Thanks for the help!
    Thanks.

    I hope that helps to show others that the amount of information given in an initial problem report has a direct influence on the quality and success probability of the responses.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  12. #352  
    Quote Originally Posted by Jason Robitaille View Post
    Let's be completely honest here. It's a patch. It's not a shell script or binary, as could easily be included in an ipk.
    Patches can modify other important linux scripts/text files.

    And with .patch files, only plain text is changed (and backed up in the process). A simple patch removal would undo anything patched. And don't forget nothing is concealed. You can literally open the .patch and see what it changes.
    This is not entirely true. A patch modifies text, but you cannot classify the results or effects of these modifications as globally reversible. For instance a patch can modify/create a linux init script that will automatically run on reboot. The effects of running this script after a reboot may be irreversible and dangerous. They may be changing text only, but that doesn't mean they are harmlessly reversible.

    -Eric G

    WebOS Internals Developer.
    Follow me on Twitter for updates to my projects: | Virtual Keyboard | wIRC | SuperTux | AUPT | KeyBoss | freeTether |

    Donate
  13. #353  
    I think both Jason and the other dude are great devs but i for one feel that if you through a bit of common since in to the whole aspect of installed apps and such most people should be just fine... i repair computers that's how i earn my living i have my own company I have to clean viruses because people lack the common sense to READ the god D*** pop up before clicking ok... There has been times i have had one customer come back 2 or 3 times a month because they just don't get it... They keep going to the same site and doing the same thing over and over again... It does not matter what kind of AV app you have if you click yes install on something even though its telling you HEY bud this is bad you sure you want to do this...

    I for one will not down load an app from some one that is not reputable or one that looks like its not on the up and up...

    If you see a possible risk or security hole you should tell the author about it but in a way that gets the point across but is respectful...
  14. SirWill's Avatar
    Posts
    439 Posts
    Global Posts
    492 Global Posts
    #354  
    We could almost use a thread just for discussing this security side of things. From my perspective, I would like to think that the feeds in Preware and WOSQI only have trusted apps in them. There for, I don't look at the scripts in Preware before running them. I probably could understand what the scripts are doing. However I would venture to guess that most people on PreCentral would not be able to understand just what the scripts are doing.

    I agree that people just click on the pop up boxes because they need to do what they perceive they need to do. However, I think that maybe a way to CYA on installing scripts from untrusted sources would be 1) Warning boxes. Do you know the source of this patch? 2) Show them the patch. Maybe even build in some logic and analyize the patch as to what it is going to touch and potentially warn the person. Yeah, I know most users will either just click the install anyway, or just chose the get me the hell out of here option.

    Just my 2 Cents.
    -----------------
    Palm III, Palm IIIc, TT, T3, T5, TX, Pre from Day 1.
  15. SirWill's Avatar
    Posts
    439 Posts
    Global Posts
    492 Global Posts
    #355  
    Oh, and being able to cut and paste basic terminal type commands would be real cool. you know things like

    mount -o remount,rw /
    cd /tmp
    wget .......
    chmod XXX
    mv xxx xxx
    Just a thought. Jason, we appreciate all you do. Rod you too.
    -----------------
    Palm III, Palm IIIc, TT, T3, T5, TX, Pre from Day 1.
  16. #356  
    Quote Originally Posted by SirWill View Post
    Oh, and being able to cut and paste basic terminal type commands would be real cool.
    You need to be really careful about this from a security point of view too.

    If a webOS application can run Linux commands, then you've just opened up a whole new vulnerability of rogue webOS applications (distributed through Preware, or fileCoaster, or even the Palm App Catalog), being able to use this service to install malware without you even seeing a popup warning box.

    It is for this reason that the Terminal application has been written extremely carefully to ensure that the commands that it runs come directly from the user input, and there is no way for another webOS application to make Terminal run commands.

    -- "the other dude" (see post #354 in this thread)
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  17. antmon1's Avatar
    Posts
    224 Posts
    Global Posts
    311 Global Posts
    #357  
    any updates on this? is there a version now that doesn't cause that canuck error?

    thank ya...
    Palm Pre (Sprint)
  18. #358  
    Just installed Internalz and in general like it; however one item that is really missing is the Rename option. One thing I was looking forward to do was to be able to rename picture files from the standard CIMG1234.jpg to ShayDrivingInParis.jpg.

    Also I cannot see that the Info menu option is working. If Info is to work as I have see on a Mac then I would be able to use that for rename the file.
    Maybe Info would also do the CHMOD.

    Since I am asking I would like to know what Create File really does; what goes into the file or who do you edit the file?

    So much to ask so little time to play with the Pre….
  19.    #359  
    Quote Originally Posted by Bjarne View Post
    Just installed Internalz and in general like it; however one item that is really missing is the Rename option. One thing I was looking forward to do was to be able to rename picture files from the standard CIMG1234.jpg to ShayDrivingInParis.jpg.

    Also I cannot see that the Info menu option is working. If Info is to work as I have see on a Mac then I would be able to use that for rename the file.
    Maybe Info would also do the CHMOD.

    Since I am asking I would like to know what Create File really does; what goes into the file or who do you edit the file?

    So much to ask so little time to play with the Pre….
    Info panel is in-development, including rename ability and other stuff
    If you've liked my software, please consider to towards future development.

    Developer of many apps such as: WebOS Quick Install, WebOS Theme Builder, Ipk Packager, Unified Diff Creator, Internalz Pro, ComicShelf HD, LED Torch, over 70 patches and more.

    @JayCanuck @CanuckCoding Facebook
  20. #360  
    So Jason congrats on receiving a Pre soon, your whole world will change as soon as you get your Pre. Will the renaming file information be put into place with the next update?

Posting Permissions