Bug#877656: kodi: supports insecure download of non-free addons

Wed Oct 4 01:08:17 UTC 2017

Quoting Felipe Sateler (2017-10-04 00:32:21)
> On Tue, Oct 3, 2017 at 7:04 PM, Jonas Smedegaard <dr at jones.dk> wrote:
>> Quoting Felipe Sateler (2017-10-03 23:32:24)
>>> On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard <dr at jones.dk> wrote:
>>>> Kodi supports downloading and loading addons at runtime.
>>>>
>>>> Official addon feed is served only via http and contain non-free 
>>>> addons.
>>>>
>>>> Allowing to extend the system with non-free addons at runtime by 
>>>> default is arguably an anti-feature in itself.  Doing so insecurely 
>>>> poses a risk of malicious code getting into users' home and 
>>>> executed by Kodi.
>>>>
>>>> Attached patch relaxes to make addon feed optional.
>>>
>>> Making plugin feeds optional sounds good though.
>>
>> Right.
>>
>> I realize my choice of words might be confusing: feed is optional in 
>> code with the patch, meaning it won't fail to start if missing.  On 
>> the packaging level I however intend at first to have kodi 
>> _recommend_ the feed, so it will be pulled in by default - so until 
>> an alternative exist it is an "opt-out" not an "opt-in".
>
> BTW, I think there are two issues conflated here:
>
> 1. Insecure downloading of code
> 2. Non-free addons available by default.
>
> I think your patch mainly addresses issue number 2, doesn't it? Fixing 
> issue 1 would require asking upstream to provide 
> https://mirrors.kodi.tv/addons/krypton/addons.xml.gz.md5 (and upgrade 
> to a better hash algorithm).

Uhm, my patch is the very window to not requiring upstream to solve the 
security issue: When I can setup a curated service with DFSG-free parts, 
then (because my code will be released as Free software) you can setup a 
curated service of all parts.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private