Zero Install Injector – Install software easily and without root privileges
Zero Install is a decentralized installation system (there is no central repository; all packages are identified by URLs), loosly-coupled (if different programs require different versions of a library then both versions are installed in parallel, without conflicts), and has an emphasis on security (all package descriptions are GPG-signed, and contain cryptographic hashes of the contents of each version). Each version of each program is stored in its own sub-directory within the Zero Install cache (nothing is installed to directories outside of the cache, such as /usr/bin) and no code from the package is run during install or uninstall. The system can automatically check for updates when software is run.
Install Zero Install Injector in ubuntu
sudo apt-get install zeroinstall-injector
This will install all the required files
This is such an insanely bad idea, I can’t even begin to convey it. “Emphasis on security”? “Signed”? By who? With what trust model?
Firefox extensions are bad enough, this is just begging for a social engineering attack.
I couldn’t agree more with Fritz. This is an absolutely terrible idea. There’s a reason why root permissions are required for installs.
@Fritz: you have to say which people you trust. For example, you could decide to only accept packages signed by official Debian packagers. See this screenshot:
Okay, yes, I see that you can trust “someone”, but there’s no real trust model.
The point is, you (or whoever) are creating an application to make it totally easy to download and run an app without root permissions, but then you’re saying the security is okay because you have to decide to trust someone, verify their identity (how?) and then accept keys and such to allow the one-click run to happen.
This is Microsoft mentality – put in a new whiz-bang feature, but make the actual SECURITY of the feature insanely hard. That way, when the hapless user gets social-engineered into downloading and running the latest rootkit, you can just shrug and say “it’s the user’s fault, they accepted the certificate!”. But the reality is, you didn’t give them the tools to be smart about the security in the first place, so you shouldn’t have introduced the tool.
See Microsoft UAC for a classic example of this. Have you ever looked at the “details” of any of those UAC dialogs? They don’t say what the action is going to be, they usually have a CLASSID of some random control instead of a name, they provide no useful information for a decision. But Microsoft put it in so they could blame the users and shift responsibility for their completely broken trust model.
First, let’s clarify what is meant by “without root permissions”, because there are two possible interpretations. For example, Fedora recently allowed unprivileged users to install RPMs from their repository; the packages executed as root as they installed. This is not what Zero Install does. It does not execute any code from the package (as root or as anyone else) at install time. Installation is side-effect free.
So, it’s not letting users do anything they couldn’t already do (e.g. by downloading a shell script and clicking on it), but it does give them much better information (such as indicating that the package is signed by their distribution, or that the signing key has changed since they last updated).
In particular, you can’t use it to install a rootkit as you suggest. The user would have to take some extra step (e.g. entering their password at the sudo prompt). If software installation doesn’t need to be done as root, then fewer users will need to have administrator access in the first place. In an ideal world, we wouldn’t need to worry about users installing strange software any more than we currently worry about them visiting strange web sites.
Now, whether you think installing something this way is “more secure” or “less secure” depends what you’re comparing it to:
Compared to not installing the software, it’s probably less secure (unless the package being installed helps with security or something…).
Compared to installing a .deb package, from the same author? Probably more secure, since the installation isn’t happening as root.
Compared to installing a random .deb you found on the web which you have no basis to trust? Slightly more secure perhaps, but you’d better be careful either way. Probably combining it with some sandboxing or virtual machine would be good (Zero Install lets you share libraries between mutually-suspicious VMs, for example).
Ultimately, a Linux community made up of users too scared to install software doesn’t help the Free software ecosystem. Developers need users to test new versions of their software, and we need to make it as easy and safe as possible.
Today is 22 march 2011–one year after this argument between Fritz and Thomas.
I am new to ubuntu (first install 10.10)
Where do you stand today Thomas ? Were your arguments accepted by users ? because-Ubuntu is HUGE today (after 10:10). 3 months inside and I love it.
Anything to say Fritz ?
I’m with Krishna – this was a short but fascinating debate. Each post swung my (relatively newly formed) opinions from side to side. Great stuff.
I would like to hear more from both. As a non-idiot but non-technical user, who has recently been subjected to forced immersion education as a result of the Windows ‘experts’ being either too corrupt or too ignorant to do anything apart from direct endless geese-chasing – I’m now alternately between the two kernels. I have zero desire to use Windows whatsoever; Kubuntu is really quite amazing…but the transition is (imo) unnecessarily complex.
Sometimes the most inane procedures will take frustrated hours to do what would have been done in Windows in mere minutes or less – like installing Skype sigh.
I understand the arguments about security; man do I know some things about Microsoft I did not know 4 months ago – things that, quite frankly, I’m surprised haven’t placed some people in some prisons. So I understand the dilemma, but as a ‘spoiled’ (horrible word choice, should be something like “marinaded”) Windows user – I find myself just taking outrageous risks with Linux in frustration at endless complexities (a large portion of which are purely the function of ignorance, of course). So I dunno, seems a bit like 6 on one side, half-dozen on the other.
I think I have to lean towards Thomas’ side of the debate, but only because I’ve been corrupted by a lifetime of (unknowingly handing over control of my entire life to) Windows. Moving forward, education simply has to be preferable to ‘convenience’.
I’ve learned that, the really hard way.
Just entering a password. That’s all. Just entering one single password. Is this task so onerous that we need help, or else the crippling inconvenience will…err…cripple us? I am happy to stay and certain and not wonder who I should trust when I install software. And entering my password is really, really simple.
Throwing in my 2 cents:
So.. basically this is choosing between running:
sudo apt-get install “whatever you want”
sudo apt-get install zeroinstall-injector
and then installing “whatever you want” with zeroinstall.
All this does is shift the problem. This doesn’t solve anything, since I still need sudo rights to begin with.
What in the hell is up with these ridiculous comments??
FACT: Whenever you install a piece of software, you are trusting whoever put out that software that it isn’t malicious.
Q: Would you rather install a piece of software that is open source, or closed source? Hint: Open.
Q: Would you rather let a program have root access to your computer, or just user-level access? Hint: user-level
Again, what the hell?
Zero Install solves one of the biggest programs ever to face Linux: NO FREAKING PROGRAM INSTALLATION STANDARDS.
Users should not be trapped into waiting on a distro company like Canonical for Ubuntu or Red Hat for Fedora or Novell for SUSE or anyone else just to get the programs they want. It should be a PIECE OF CAKE to get the latest version of Firefox, EVEN a totally new major revision of Firefox (like moving from Firefox 3 to Firefox 4, etc) if that’s what a user wants. Sadly, right now it’s not easy, and users are trapped because of it. The only thing Mozilla offers them are a binary TAR file which contains no installers whatsoever, so they have to manually create shortcuts/icons/links/menu entries just to get the damn thing properly on their system, and in addition they won’t get any updates at all, they have to go manually download a new TAR file and extract it and copy it over the old one every time there is an update.
Zero Install = SOLUTION TO HORRIBLENESS.
As soon as the Linux community pulls their heads out of their asses and starts making intelligently-designed programs based on intelligent STANDARDS, then maybe Zero Install will no longer be necessary, but for right now it is necessary because it is installable across all distros and even runs on Windows and OS X.
Linux is supposed to be about freedom for users though, and due to the lack of installation standards, companies are exploiting Linux users by locking them into their own stacks of software. Not completely, but for your grandma? YES. For the average Joe Sixpack? YES.
It’s time for Linux users to say screw all that, and to start supporting initiatives for true freedom on Linux with attempts like Zero Install.
How can i install Zero Install Injector without root privileges to install apps without root privileges.
If i have not got privileges i can not install Zero Install Injector.
Otherwise roots are good people. Just ask them to install the app.
I can think of a perfect application for this program.
I work in a school district in Pennsylvania. Our district uses about 70% Mac OSX and 20% Linux (though the numbers are very rapidly growing)
We currently have a program for OSX called Casper, which includes a “Self Service” program. This program allows teachers to install previously approved programs to their computer with no intervention from us. Want to install iTunes? Fire up self service and get it. Done.
This program seems very similar, but works for Linux. It appears to me that you can configure a small list of applications that one can access, then let teachers (or other un-privileged users) install whatever programs they happen to want.
What say you?
You sound like you’re implying that users are restricted from being able to run certain programs. Zero Install doesn’t restrict anything, but it could possibly be tied in with programs that could. All Zero Install does is use the system that works across platforms: Extract archive, run program. Except it does all that for you, creates menu entires, and has auto-updates.
If you want to offer some Linux clients a selection of software to install, traditionally this is done with repositories and distro packages, but those are distro-specific and version-specific. Zero Install doesn’t yet have an “App Store” like that, but that is one of the things that is being worked on. Instead if you want to showcase a bunch of applications for Linux users (regardless of distro) as well as Windows and Mac and BSD users to install, just hosting an internal website would probably be the easiest solution for now.
wow, what a strong reaction (fritz).
it sounds as if someone was trying to REPLACE the current system with zeroinstall. in that case i could understand the reaction, but nobody wants that.
the sensible answers are given by thomas already.
my point of view:
rox-filer (also managing the desktop) is slightly weird when you’re used to nautilus/thunar/explorer but it’s totally fast, stable and works flawlessly even on a new system (just replaced thunar on a standard xubuntu 11.10 installation. i’d been trying pcmanfm but it’s far less stable although it’s standard on lubuntu). rox is also managing the desktop on my machine. and it’s stable – has never crashed so far (i’ve tried it on 2 different systems) but always gives some kind of sensible error message instead.
for that i need zeroinstall to install some plugins/apps. and it works. it’s different from standard ubuntu, very different.
i don’t see where it would be more dangerous than, say, installing plugins for audacious, or using lastfm standalone player which starts processes on every boot without asking – i had to uninstall it – and also tells me i can’t listen to free music anymore, and locks up, although i’ve been listening to lastfm for years and still do. uninstalled. well, that’s just an example for a program which is in the repositories for *buntu.
anyhow, blabla, who would go programming malicious software for zeroinstall, solely used by a few rare rox-users…
but rox rocks, try it out, even in 2012!
respect to thomas leonard.
forget about zeroinstall but rox as default file manager for some ubuntu distro, how about that?
just change the default single click to double click and it becomes far easier to understand.
for me personally, the golden middle path between total cli-ness and total gui-ness.
ps: if something malicious befalls me due to zeroinstall, i’ll come back here and post. big promise.
I think that this software has a really nice use.
To begin with, you can install software without root privileges, what is good when you are using a machine that isn’t yours.
I think most people misunderstood the propose of it, because installing without root privileges is different of running without root privileges, I haven’t had a chance to try it out to see if I’m right, but I think I got the ideia.
If I said something wrong please correct me, and I hope my opinion helped somehow.
Megabot: No they are not the same.
sudo apt-get install packagename is a Commandline shortcut to the built in (and GUI) package manager, which means the packages are being installed from the same secure source that created the Linux Operating System you are using (Ubuntu in this case). If you can’t trust that source then you can’t trust anything.
using zeroinstall injector means you can download the install file from anywhere (including, of course the secure source that created your operating System), and some, even many, of those sources might not be trust worthy.
In the final analysis sudo apt-get install is part of the same circle of trust that your GUI package manager or Software Centre is, while Zero install injector is not.
Zero Install injector is based on the mistaken assumption that it is better to give Windows users the same style of insecure installer as Windows uses (install.exe, install.msi plus UAC) The fact that the applications only install to the current users account does nothing to protect that user from Trojans that could potentially gain root access to the rest of the Linux system, as everything about Zero install injector relies on the users being fully informed, by a trust worthy source.
I like Synaptic Package manager I had to install it on the *buntu I am using to write this (Lubuntu) I think but all you do is find a program you like or type a name in search box and all realted packages show up, click on check box beside it, select “mark for installation” and click apply and in a fes seconds iw will be installd and all dependencies taken care of for you, how could it be easier than that, and all from trusted sources. Yet you could manually edit the sources.list and add a repository that could house malicious sotware.
But at least the packages are signed using a PGP key.
But I too have been guilty of downloading a few .debs in my day and installing them.
I am always leary to do so though, and i always Checksummed them using MD5sum or sha1 to verify the package integrity, but still trusting the person who created and signed the package to begin with. I just have more trust for some sources like the Debian or Canonical repositories. And I feel that a hacking or something of their website or server would be discovered rather quickly.
I tend to somewhat agree with Fritz about using the conventional trust model which is the backbone of Linux security for the average user, it is tried and a well known way.
But I do see the potential for Zeroinstall being worthwhile in some situations perhaps, if you were using a computer that wasn’t yours.
I suppose (in my humble opinion) that it boils down to whether or not you want to take the risk or not and like thomas said, how well you research and find out about the source of a package or repository before you added it as OK to Zeroinstall, to the limit it would be possible to do that.
Quoting Iago Caran:
“you can install software without root privileges, what is good when you are using a machine that isn’t yours.”