Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address concerns about recommending the use of unsigned apps #11079

Open
anthonydillon opened this issue Dec 28, 2021 · 4 comments
Open

Address concerns about recommending the use of unsigned apps #11079

anthonydillon opened this issue Dec 28, 2021 · 4 comments
Assignees
@pmahnke
Labels
Priority: High

Comments

@anthonydillon
Copy link
Contributor

Address the concern, reported in these comments: https://discourse.ubuntu.com/t/create-a-bootable-usb-stick-on-macos/14016/20
@gitcnd
Copy link

gitcnd commented Dec 28, 2021

I added another comment - the inbuilt macOS "dd" command is sufficient to create working bootable USB sticks from the ISO (tested) - there is absolutely no need to use unsigned/insecure/sketchy (or any) third party products.

Note that you need to remind users to check the integrity of the ISO they downloaded - malware/ransomware attacks are completely off the charts: the best way to ensure that your brand/product does not end up being the subject of ridicule and insecurity warnings, is to actually take security seriously from the start.

Telling people how to run unsigned third party apps by bypassing their O/S security, and permitting the links for them inside random user comments, are just 2 examples of your team NOT taking user safety and security at all seriously.

@petesfrench
Copy link
Contributor

This may have been addressed in this pr, I will get someone using a mac to try it out and see if we can update the instructions in the discourse post

@petesfrench
Copy link
Contributor

We tested this recently and there was no need to disable any security settings. We can update the discourse post to reflect this change in process.

@gitcnd
Copy link

gitcnd commented Aug 26, 2024

Sorry - that is not an acceptable resolution. You're instructing people to run third-party code in order to use your products, without any concern for who that third party is, and the power you're granting their product to do anything they want with the security of both the host system, and your installed product.

Does your company not have any security policy ? I'd like to see the audit for all the install tools you're promoting: who are the people writing that code? What country are they in (Russia? China? Iran?) What are their own security procedures for the code they write and ship (we know in advance they didn't bother to buy an Apple certificate to ship safe code in the first place, so that's a big red warning right there).

Update - see here: https://canonical.com/blog/canonicals-security-certifications

Those certifications are EXPENSIVE, and they come with strict rules about how your company behaves. Being reckless about how people install from the start is the kind of thing to get your certifications revoked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmahnke pmahnke

Labels
Priority: High
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pmahnke @anthonydillon @gitcnd @cristinadresch @petesfrench