Bug#1094998: steam-devices: should document the security trade-offs implied by installing this package
Fabian Greffrath
fabian at greffrath.com
Mon Feb 3 07:45:25 GMT 2025
Hi Simon,
Am 2025-02-02 13:23, schrieb Simon McVittie:
> If packages outside the Valve/Steam ecosystem are going to install
> steam-devices automatically (#1094936) or encourage it to be installed
> (#1078751) then it should have documentation describing the trade-off
> between functionality and security that it implies.
>
> I am "too close" to this package to write that documentation: I don't
> know
> where prospective users of this package would look for this information
> (README.Debian? the Description? Appstream metadata, if added by
> #1078751?)
> and I don't know how to condense the details of its security tradeoffs
> into
> a short summary.
>
> Below is an attempt at the long version, with the benefits and risks of
> each thing that it enables. I would appreciate it if someone else could
> condense this into a summary.
thank you very much for the elaboration, it was a fun read! I guess your
expertice on this topic is unmatched by most other developers.
I think the long version of the risk documentation that you provided
below would fit perfectly into README.Debian, though I agree that a
TL/DR version would be nice to have as well. This should be accompanied
by a short reference in the package description such as "Installing this
package may impose some security risks that are discussed in detail in
/usr/share/doc/steam-devices/README.Debian." The downside of this
approach is, of course, that the documentation will only be available
once the package is already installed.
But, to be honest, if you already share your computer hardware and
access at the system console with a malicious user, there may be way
more obvious ways to get attacked than through the steam-devices
package, right?
Cheers,
- Fabian
More information about the Pkg-games-devel
mailing list