Comment 2 for bug 1035207

There are two requests in this bug, the first being to add whitelist functionality to aptdaemon, and the second is to add a webapps repository to that whitelist. I will address them separately.

Aptdaemon:

I believe adding the whitelist functionality to aptdaemon is reasonable. This would also permit enterprise environments to allow their users to install a pre-approved subset of optional packages. Perhaps two whitelists and policykit rights should be added, one for users in the admin group, and a second for regular users who are logged into the console.

Webapps repo whitelist:

We would tolerate being able to install webapp packages without a password with the following caveats:

1- Installing without a password is limited to users in the "admin" group.
2- The repository whitelist for aptdaemon is shipped in a separate "webapps"-named package, and not part of the aptdaemon package.
3- Up-to-date documentation for the exact steps required for auditing the security of contributed webapp scripts. This needs to be written by someone familiar with the intricacies of how the scripts are integrated in the browser security model and how the webapps functionality was implemented.
4- An webapp script security scanning tool that can detect basic security flaws, and can be updated with new flaws as they are discovered.
5- A policy in place to systematically audit new webapp scripts and improvements to existing webapp scripts using the documentation and the scanning tool before they are accepted into the repository.
6- Tracking of a "sign-off" procedure to determine when the security auditing of contributed scripts was performed, by who, and with what revision of the auditing documentation and script.

The security team also reserves the right to remove the password exception at its discretion in the case where webapp scripts are used to facilitate malware attacks.