walinuxagent and out-of-archive code updates

Steve Langasek steve.langasek at ubuntu.com
Tue Mar 14 22:39:51 UTC 2017 

Hi Jeremy,

On Tue, Mar 14, 2017 at 04:03:24PM -0400, Jeremy Bicha wrote:
> On Tue, Mar 14, 2017 at 1:01 PM, Steve Langasek
> <steve.langasek at ubuntu.com> wrote:
> > Obviously we have good reason for a policy that third-party repositories and
> > code update mechanisms are not allowed for Ubuntu at large.  In this case, I
> > believe it's acceptable because:

> I thought I should mention steam then. I believe the 'steam' package
> is just a bootstrapper to download the latest steam client to ~/.steam
> and run it from there. It will also update itself when launched.

> 'steam' is in multiverse and so far has mostly only been minimally
> maintained in Ubuntu to keep it fake-synced with Debian.

Thanks.  I think this is mostly a matter of me simply misstating the actual
policy rather than something we need to change in the steam package (though
boy, it sure would be nice if there was an easy index to past TB
decisions!).

I also may be imagining policies around some of these things that may have
actually been Debian policies rather than Ubuntu policies.

There are a number of packages in the archive which support downloading code
under a user's direction, and then running that code, as a user.  We have a
policy for the desktop that specifically disallows downloading of arbitrary
code from the Internet with a web browser and auto-executing it; but we also
support download of plugins from the browser's plugin store, where the
browser verifies the authenticity of the plugin, downloads it, and executes
it in its own runtime.  steam parallels this: downloads are entirely
user-directed, and the user opts in to using the steam client.

What we have said is that we do not allow official Ubuntu images to enable
third-party apt sources which potentially muddle the provenance of every
package on the system.  That was not a blanket statement that nothing
installed at the system level could pull code from places other than the
Canonical-signed archives; but I think any package that does this should be
assessed case-by-case.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20170314/8129751e/attachment.pgp>

More information about the technical-board mailing list