Fwd: "Download & Install" vs "Repositories & Synaptic" and the need for a new URI [Was: Re: Going forward [Re: Automatix?]]

Tristan Wibberley maihem at maihem.org
Sat Apr 1 14:28:32 BST 2006 

Jason Taylor wrote:
>>> This is similar to the way firefox treats extension installs, they
>>> fail by default unless the domain is on a whitelist.  Then the user
>>> must add to the white list before trying the install again.
>> There aren't many complex interdependencies in a firefox install. A
>> whole operating system, fine grained approach like debian and Ubuntu
>> follow is going to take more sophistication.
> Was referring to the whitelisting of sites/repos not the actuall install
> 
> ie the install should fail by default if the repo is not in the users
> sources.list

But if the user is encouraged to add arbitrary sources maintained by
those he trusts to be sincere, they may still stop later security
updates, eg by conflicting with newer versions of a package that has a
flaw discovered, or depending on a package that is replaced in the main
repo's. This is a difficult problem, and while a simple "install from
configured repositories" should be implemented, it should only be done
with the intention of going further to cope with unreliable dependency
graphs and to make the computer understand what is a reliable source of
dependency information and what isn't - at which point temporary sources
don't hold so much fear as long as the user gets a big fat warning.

There is also the issue about daemons starting by default. An url could
instruct a daemon to be installed along with some desired program, which
can then be easily used (the web logs will say which IP just installed
the daemon so it can be attacked almost immediately).

So even though the client can be implemented pretty easily to make
url/uri directed installs easy, there is still a lot to think about, and
things in the standard sources to be changed. Before Ubuntu could take
such a feature live. However, I do agree that the initial feature should
be implemented soon to stop people from thinking that downloading
arbitrary debs and installing them is normal - the computer should help
them to find the official packaged version and provide ways for websites
to direct them to it.

-- 
Tristan Wibberley

More information about the sounder mailing list