Created: 2008-12-3 by Till Kamppeter https://launchpad.net/people/till-kamppeter
Packages affected: system-config-printer, jockey, packages containing download site keys and repository whitelist
Ubuntu Linux (and probably also Fedora and Mandriva, as they also use system-config-printer) has the infrastructure for automatically downloading printer drivers through the Internet from the OpenPrinting we site since Intrepid. For now it only downloads PPD files and packages of PPD files, no packages with binary executables. To automatically download binary executable packages by default, as printer drivers from the printer's manufacturers for their non-Postscript models, it must be assured that these packages which do not come from Ubuntu do not break the user's system and do not introduce any malware.
This means at first that we need to provide proper, secure signing of the packages on the OpenPrinting server and distributions need to include the keys. In addition, the printer manufacturers who upload their drivers to OpenPrinting must take the responsability over their uploads. This responsability cannot be taken by OpenPrinting or the Linux Foundation.
This way we assure that the drivers are really from the respective manufacturers and that the Linux Foundation is not liable for any problem caused by the driver packages.
In addition, we will let the manufacturers upload binary tarballs with the files at standardized places and let the server automatically generate the LSB packages of the drivers. This will remove the need of packaging knowledge from the manufacturers and the risk of system corruption by badly located files/symlinks or inadequate actions in the maintainer scripts.
We will discuss here the requirements of Ubuntu to accept the binary driver packages from the printer manufacturers auto-downloaded from the OpenPrinting web site.
Most printers need model-specific drivers. Under Windows and Mac OS the manufacturers provide driver packages on CDs which come with the printers and also on their own web sites. They usually provide one driver package for Windows and one for Mac OS. There are also forms of having automatic download on these operating systems. We also want to have autommatic download on Linux, but it should be done in a secure way.
LaserStar Electronics in Japan wants to publish Linux/Unix printer drivers for their wide range of printers, beginning from 30-EUR-cheapo inkjets over 256-ink high-end photo-printers, up to 30-pages-per-second color laser office multi-function devices. They want to make it as easy as possible for their customers to get their drivers, independent which distribution they are using and whether their printer is newer than the distribution which they are using. It should be as easy as possible to get the driver. Simply plugging the printer in and doing some mouse clicks should be sufficient that the driver gets downloaded and installed. They want to be sure that really their driver package arrives on the cusomer's machine and no man-in-the-middle attack happens on the way.
All Linux distributions and perhaps all Posix-style operating systems.
The client side code for automatic driver download is already implemented in Ubuntu, only a small configuration change (in Jockey) has to be done so that Ubuntu also auto-downloads packages with binary executables.
This includes the results of the OpenPrinting Summit 2009 and the Karmic UDS BoF.
- Printer drivers with binary executables must come from the printer manufacturers
Binary printer driver packages to be auto-downloaded must be generated by the OpenPrinting database server based on uploaded files from the printer manufacturers.
- Binary printer driver packages to be auto-downloaded must be signed.
- Responsability on drivers must be taken by the printer manufacturers.
Appropriate key to verify the packages downloaded from OpenPrinting needs to be included in the Ubuntu distribution in the app-install-data-partner package (to be done by Michael Vogt, mvo).
Automatically check packages when they arrive on the OpenPrinting server for suid binaries and CUPS backends with 700 permissions, as in these cases the executables run as root.
- Do a automatic strace for executable set to run as root to ensure that they do not access random files.
Please refer to <https://wiki.ubuntu.com/FoundationsTeam/Specs/JauntyTrustedThirdParties> and the discussion of standards for third-party archives for which Ubuntu will be willing to include archive keys by default.
- Surver should provide one repository for all packages (or at least main and contrib) and not one repository for each driver.
Jaunty BoF agenda and discussion
- Participants (at least): Till Kamppeter, Martin Pitt
- Discussion of the Outstanding issues
- Web site tells you which printer works with which driver
- Put up facilities to automatically download drivers from the web site
- WebAPI to map a printer to a driver, point to a repository (yum, zypper, apt) and a package name (rpm, deb)
- Bona fide repository (can add to sources list)
- Currently Jockey only downloads no-arch packages (by and large, packaged PPDs)
- GSoC student will set up scripting on the server for automatic package generation and automatic setup of the packages in the archives. He also will make a web app for uploading packages.
- Put up binary executables (for non-postscript printers) and let server package them
- security problem
- assure they are not spoofed
- assure that companies that upload the binaries take responsibility for them
- issues related to free versus non-free
- Quality assurance:
- Let packaging be done by the server. This assures that files are at correct palces and maintainer scripts only contain pre-defined actions, like restarting CUPS, symlinking CUPS backends to /usr/lib/cups/backend/, ...
- Current packages contain shell scripts that set symlinks, often to places that don't exist in the distros
only allow blessed macros (will be done automatically which packages created on OpenPrinting)
- use dpkg triggers to detect new PPDs, no need for maintainer script (triggers to replace maintainer script not available on all LSB distros)
- future LSB should mandate standard paths for PPDs (/usr/share/ppd/) and cups backends (/usr/lib/cups/backend/)
- Generally assume that the manufactures are not malicious
- Though not malicious, they may still deliver code with exploits
- Some actions that a manufacturer may not consider "malicious", our users might (collect user data, etc...)
- Truely secure compilaton is a hard problem (like compilers themselves can be compromised).
- Packages should never have overrides.
- Postscript is a programming language, and can be used to create exploits (make a printer a spam server).
Getting Keys into Distros
root LF key (highly secure) -> LSB 4.0 key (also offline) -> LSB 4.0 daily build key (autogenerated)
We thank especially HP and Konica Minolta for the financial support of OpenPrinting.