194
votes
|
|
268
0
74
|
|
|
|
|
Propose your solution
Attachments
No attachments.
Duplicates
Comments
|
|
|
You misspelled repository - can you change it?
|
|
c.sokun
wrote on the 7 Mar 08 at 02:47
|
|
|
|
+1, I hate to remember what to install each time I do refresh reinstall the box. However question will apt-url fetch only the latest version (or relevant version for my box? 7.10; 8.04 etc ..)
|
|
|
|
Wow I did and it was "epository" on my blog, I cant change it maybe an admin can?
|
|
zelut
wrote on the 7 Mar 08 at 03:29
|
|
|
-1 : I think this would simply lead to common use of third-party repositories which is a bad idea. I would wager that the users that want packages bleeding-edge enough to still be in a PPA can add the repository themselves.
By the time the code is mature enough it'll make it into universe/multiverse and the standard apturl will work.
|
|
|
|
@zelut, what about miro and programs like that?
|
|
|
BAD idea. That would be extremely dangerous.
Adding third-party repositories usually leads to mega-disasters
|
|
|
Your byline on your blog says it all in my opinion: “Brilliant people simplify things, and mediocre people complicate things.” — Unknone
You might think that you're trying to make things simpler, but you will achieve the exact opposite and make life more complicated.
The reason this is the case is simple, support.
The "desire" to install anything and everything is an unmaintainable nightmare. This suggestion makes that even harder.
The notion that because you can, you should is in my opinion wrong. As an IT professional charged with supporting computers around the world on a daily basis this notion of everything all the time is not sustainable.
I have no problem with you voicing your opinion, but I have extreme distaste for the idea.
Finally, you responded to zelut: "what about miro and programs like that?"
The response should be: "If it's not packaged inside Ubuntu, then work towards achieving that aim. Installing it as a third-party repository is just bad."
I suspect you'll want an example to go with that. Let's for a moment imagine that I wanted to install package FooBar. It depends on a specific version of FooBar.lib, which has been compiled and is also available with the FooBar application on the third-party repository. On the face of it, you add the repository, then install FooBar, which also downloads and installs FooBar.lib. If all goes well, your application FooBar now works. Finished right?
Well no. If FooBar.lib also appears in Ubuntu itself and other applications like FooBob rely on the older version, then we get unpredictable behavior. Best case scenario, the local Ubuntu application FooBob crashes, so you see that something's wrong, but more likely, all of a sudden one aspect of FooBob is broken and now you need support.
So, I get a call saying: FooBob doesn't work. After three weeks of tracking down problems, it turns out that the issue is related to FooBar.lib, something I've never heard of and something you as the application user don't even know about.
That is why this is a bad idea.
Onno Benschop
|
|
|
|
onno-itmaze you bring up a good point but people are editing there repos neways so we currently have all those problems as it is.
|
|
nnonix
wrote on the 7 Mar 08 at 08:22
|
|
|
One argument is that this won't cause harm because we already have people adding 3rd party repositories. A similar argument could be made about using Automatix, logging directly into the root account directly, even having listening ports open by default. Just because people do it doesn't justify a bad idea.
More importantly, consider the possible damage this would cause to apt-url. As it stands now it is a very safe utility because, for most users, it will only install from default r epositories. If apt-url makes adding 3rd party repositories trivial, it becomes considerably less safe.
While I can see your point, I think the benefits do-not outweigh the downside. -1
|
Alan Pope
(Ubuntu developer)
wrote on the 7 Mar 08 at 12:02
|
|
|
|
Fixed typo :)
|
|
cheesehead
(Brainstorm moderator)
wrote on the 7 Mar 08 at 12:39
|
|
|
One-click package install already implemented: gdeb package manager
Changing AptUrl in this way removes two of Ubuntu's strengths: Bug-squshing packages for interoperability, and trusted repositories for security.
This suggestion is a *perfect* vehicle for malware (remember that from Windows?)
|
|
|
|
Although people can add extra repos by editing the file, that doesn't mean we should make it easy.
|
|
|
Apt-get functions and easy to understand!
I would like oo apt-get a win function more friendly to the end user to add repositories preferably solving the problem of GPG, today we see that the user has to add a method to study and implement the key GPG. I think it's a negative point for end users.
|
|
Jadd
wrote on the 7 Mar 08 at 15:04
|
|
|
|
No. As pointed out before, adding repos is dangerous. Besides, we already have a GUI way of doing this: System, Administration, Software Sources, Third Party Software. If a user is not techy to do that, he/she should not be messing with repos anyways.
|
|
gerardo
wrote on the 7 Mar 08 at 18:01
|
|
|
I think this is already implemented in maemo, the Nokia n800 OS. I'll put an example.I'm browsing the Download section in the maemo site, and I want to install Vagalume:
http://maemo.org/downloads/product/OS2008/vagalume/
When I click the link, the Nokia Package Manager ask me to install Vagalume, configure the repo and install the software.
The download is a .install file, just like the freedesktop's .desktop files:
""
[install]
package = vagalume
catalogues = vagalume
repo_name = Vagalume Last.fm Client
repo_deb = deb http://apt.igalia.com/ gregale vagalume
repo_deb_3 = deb http://apt.igalia.com/ bora vagalume
[vagalume]
name = Vagalume Last.fm Client
uri = http://apt.igalia.com/
components = vagalume
""
Maybe you could use some ideas(and code) from there.Or just use that implementation.
|
|
|
|
-1 for me. It is a security nightmare, as bizarre as ActiveX.
|
|
simontol
wrote on the 28 Mar 08 at 15:02
|
|
|
I've tried 1-click-install by OpenSUSE, it's simply great for me.
Users are advised by the risk of installing extra repositories.
I think that a good choice should be provide a ppa page where to find newer versions of the packages.
I also think that, after the package is installed, the dialog box should ask the user if he/she wants to keep the external repo for updates or disable it.
About the security risk, I think it is not worse than the actual habit to customize the sources.list with "all-the-third-party-repos-i-could-find-on-the-web".
I've seen many sites that provides ready-to-use sources.list and suggests end-user to download it and replace the original one.
Actually clicking on a file called sources.list launches software-properties and asks you if you want to add the repos in the file or REPLACE THE CURRENT LIST!!!
|
|
|
"-1 for me. It is a security nightmare, as bizarre as ActiveX."
We already have the ability to add repositories. Why not make it easier to do so?
I like this idea. You would need to enter a password to do so. Third party repositories are used today. If someone wants to do it, they will. There are many great third party repositories that I would consider to be safe. (Examples: WineHQ, Medibuntu, Google, and VirtualBox just to name a few.)
There is nothing wrong with this idea. Let's make things easier for the user. This is not a security nightmare if it is password protected just like everything else.
+1 for me!
|
|
nnonix
wrote on the 31 Mar 08 at 14:41
|
|
|
BAD BAD BAD idea!
The proper thing to do would be to get the software you want into a default repository.
|
|
|
This would create an infection vector.
Hacked forums with tips how to solve a problem by just "Klcik the link and enter your password"
|
|
|
|
If you are scared, then make it optional. (Off by default) Advanced users can turn it on via the control panel or gnome configuration. Scared pussies and newbies can leave it turned off.
|
|
Auzy
wrote on the 5 May 08 at 07:53
|
|
|
Guys, I'm seeing some of the most uninformed arguments here I have ever seen in the history of brainstorm..
Especially: "This would create an infection vector.
Hacked forums with tips how to solve a problem by just "Klcik the link and enter your password"
For starters, Its not called an infection vector, its called an ATTACK vector, and the vector already exists in another form anyway (ie, they tell you to run commands that does the same thing, or tell you to run a shell script). If they fall for it one way, they will fall for it the other. So there is no additional attack vector here. The system is no less secure. You simply warn the user when they are doing a APT-URL operation that they should only do it from a trusted source. Easy.
And us coders cant expect the repo's to be 100% perfect. We want to make it easy for my software to be managed by Apt. And, we want to control our own destiny, not rely on conanical to update our programs in the repos. That way, we can deal with security issues a lot quicker (which is where, you actually get a security gain in some cases).
From the usability standpoint, this offers a GUI independant way of dealing with adding APT repos. Without it, if I want to get my customers to use apt, I need to either give them a script, make a program, get them to run around in bash, or write out the procedures for 5 different gui's (which is a pain). Thats not really a good solution
So really.. It actually enhances security, because Canonical aren't always 100% up to speed, and it makes life easier for coders.
It gets my vote EASILY. In fact, it also lets me easily roll out testing of my MenuToGo program, and allow users to automatically get their beta copy upgraded every day easily.
|
|
Auzy
wrote on the 5 May 08 at 08:18
|
|
|
I should also add curupira, ActiveX is a security disaster because it executes code without warning in older systems. These days its not so much a security issue.
APT-URL doesn't go and execute remote code..
|
|
|
|
I sustain this ideea, because it will only simplify things that can already be done. And I'm tired to sudo gpg apt echo every time I want to test some new application.
|
|
|
"For starters, Its not called an infection vector, its called an ATTACK vector"
@Auzy
You are right, it is ALSO an attack vector. I am working for an anti-virus company and currently most of the malware infections are caused by drive-by-downloads (no user interaction) or other infected homepages with very low user interaction.
Using apt-url with repos a forum entry would suffice to trick users into clicking the link and entering his password.
"Here is a fix for your driver problem"
automatically spread through linux forums...
And forums can be hacked easily.
The more user interaction needed to harm the computer the more time the user has to ponder his decission.
...well...i have to add this repository...why ? and then I will download the program...the signature is not accepted...
?
|
Post your comment
|
