http://brainstorm.ubuntu.com/item/3647/
Epically with the launchpad Personal Package Archives and this seems more needed.

By using a list of trusted sites we could avoid bad repositories being added and a warning message when a repository was going to be added.

EDIT: I misspelled repository in the title can a mod fix it?

[194 votes] Solution #1: Auto-generated solution of idea #3647


]]> en-us Fri, 07 Mar 2008 01:07:25 +0000 Wed, 19 Nov 2008 19:48:10 +0000 QAPoll module http://brainstorm.ubuntu.com/idea/3647/ Fri, 07 Mar 2008 01:28:25 +0000 Fri, 07 Mar 2008 02:41:14 +0000 Fri, 07 Mar 2008 02:47:37 +0000 Fri, 07 Mar 2008 02:50:18 +0000
By the time the code is mature enough it'll make it into universe/multiverse and the standard apturl will work.]]> Fri, 07 Mar 2008 03:29:02 +0000 Fri, 07 Mar 2008 04:03:13 +0000
Adding third-party repositories usually leads to mega-disasters ]]> Fri, 07 Mar 2008 04:14:48 +0000
You might think that you're trying to make things simpler, but you will achieve the exact opposite and make life more complicated.

The reason this is the case is simple, support.

The "desire" to install anything and everything is an unmaintainable nightmare. This suggestion makes that even harder.

The notion that because you can, you should is in my opinion wrong. As an IT professional charged with supporting computers around the world on a daily basis this notion of everything all the time is not sustainable.

I have no problem with you voicing your opinion, but I have extreme distaste for the idea.

Finally, you responded to zelut: "what about miro and programs like that?"

The response should be: "If it's not packaged inside Ubuntu, then work towards achieving that aim. Installing it as a third-party repository is just bad."

I suspect you'll want an example to go with that. Let's for a moment imagine that I wanted to install package FooBar. It depends on a specific version of FooBar.lib, which has been compiled and is also available with the FooBar application on the third-party repository. On the face of it, you add the repository, then install FooBar, which also downloads and installs FooBar.lib. If all goes well, your application FooBar now works. Finished right?

Well no. If FooBar.lib also appears in Ubuntu itself and other applications like FooBob rely on the older version, then we get unpredictable behavior. Best case scenario, the local Ubuntu application FooBob crashes, so you see that something's wrong, but more likely, all of a sudden one aspect of FooBob is broken and now you need support.

So, I get a call saying: FooBob doesn't work. After three weeks of tracking down problems, it turns out that the issue is related to FooBar.lib, something I've never heard of and something you as the application user don't even know about.

That is why this is a bad idea.

Onno Benschop]]> Fri, 07 Mar 2008 04:18:59 +0000 Fri, 07 Mar 2008 04:45:49 +0000
onno-itmaze you bring up a good point but people are editing there repos neways so we currently have all those problems as it is.

//////////

you stand corrected earobinson, we do have all those problems as of right now.

the best solution would be to auto-create a backup image everytime you change repos.

a restore system should be implemented first.

something similar to MAC OS time-machine

if anything bad goes on you can restore.

for linux we have time-vault
http://lifehacker.com/software/featured-linux-download/timevault-time-machine-for-linux-275399.php

and flyback
http://web2linux.blogspot.com/2007/11/apples-time-machine-now-for-linux.html
http://flyback-project.org/

http://brainstorm.ubuntu.com/idea/266/]]> Fri, 07 Mar 2008 07:03:15 +0000
More importantly, consider the possible damage this would cause to apt-url. As it stands now it is a very safe utility because, for most users, it will only install from default r epositories. If apt-url makes adding 3rd party repositories trivial, it becomes considerably less safe.

While I can see your point, I think the benefits do-not outweigh the downside. -1]]> Fri, 07 Mar 2008 08:22:51 +0000 Fri, 07 Mar 2008 12:02:21 +0000
Changing AptUrl in this way removes two of Ubuntu's strengths: Bug-squshing packages for interoperability, and trusted repositories for security.

This suggestion is a *perfect* vehicle for malware (remember that from Windows?)]]> Fri, 07 Mar 2008 12:39:35 +0000 Fri, 07 Mar 2008 13:54:12 +0000 Apt-get functions and easy to understand!

I would like oo apt-get a win function more friendly to the end user to add repositories preferably solving the problem of GPG, today we see that the user has to add a method to study and implement the key GPG. I think it's a negative point for end users.]]> Fri, 07 Mar 2008 14:38:05 +0000 Fri, 07 Mar 2008 15:04:17 +0000 Fri, 07 Mar 2008 15:24:28 +0000
http://maemo.org/downloads/product/OS2008/vagalume/

When I click the link, the Nokia Package Manager ask me to install Vagalume, configure the repo and install the software.

The download is a .install file, just like the freedesktop's .desktop files:

""
[install]
package = vagalume
catalogues = vagalume
repo_name = Vagalume Last.fm Client
repo_deb = deb http://apt.igalia.com/ gregale vagalume
repo_deb_3 = deb http://apt.igalia.com/ bora vagalume

[vagalume]
name = Vagalume Last.fm Client
uri = http://apt.igalia.com/
components = vagalume
""

Maybe you could use some ideas(and code) from there.Or just use that implementation.]]> Fri, 07 Mar 2008 18:01:42 +0000 https://wiki.ubuntu.com/ThirdPartyApt

It's going to be awesome.]]> Sat, 08 Mar 2008 10:45:06 +0000 Sun, 09 Mar 2008 12:26:08 +0000 Users are advised by the risk of installing extra repositories.
I think that a good choice should be provide a ppa page where to find newer versions of the packages.
I also think that, after the package is installed, the dialog box should ask the user if he/she wants to keep the external repo for updates or disable it.
About the security risk, I think it is not worse than the actual habit to customize the sources.list with "all-the-third-party-repos-i-could-find-on-the-web".
I've seen many sites that provides ready-to-use sources.list and suggests end-user to download it and replace the original one.
Actually clicking on a file called sources.list launches software-properties and asks you if you want to add the repos in the file or REPLACE THE CURRENT LIST!!!]]> Fri, 28 Mar 2008 15:02:17 +0000 for what I mean with "ppa page where to find newer versions of the packages"]]> Fri, 28 Mar 2008 15:04:29 +0000
We already have the ability to add repositories. Why not make it easier to do so?

I like this idea. You would need to enter a password to do so. Third party repositories are used today. If someone wants to do it, they will. There are many great third party repositories that I would consider to be safe. (Examples: WineHQ, Medibuntu, Google, and VirtualBox just to name a few.)

There is nothing wrong with this idea. Let's make things easier for the user. This is not a security nightmare if it is password protected just like everything else.

+1 for me!

]]> Mon, 31 Mar 2008 09:33:38 +0000
The proper thing to do would be to get the software you want into a default repository.]]> Mon, 31 Mar 2008 14:41:06 +0000 Hacked forums with tips how to solve a problem by just "Klcik the link and enter your password"]]> Wed, 02 Apr 2008 19:40:33 +0000 It's not about thirty party, it's about improving apt.]]> Sun, 13 Apr 2008 12:54:02 +0000 Mon, 05 May 2008 05:53:31 +0000

Especially: "This would create an infection vector.
Hacked forums with tips how to solve a problem by just "Klcik the link and enter your password"


For starters, Its not called an infection vector, its called an ATTACK vector, and the vector already exists in another form anyway (ie, they tell you to run commands that does the same thing, or tell you to run a shell script). If they fall for it one way, they will fall for it the other. So there is no additional attack vector here. The system is no less secure. You simply warn the user when they are doing a APT-URL operation that they should only do it from a trusted source. Easy.


And us coders cant expect the repo's to be 100% perfect. We want to make it easy for my software to be managed by Apt. And, we want to control our own destiny, not rely on conanical to update our programs in the repos. That way, we can deal with security issues a lot quicker (which is where, you actually get a security gain in some cases).


From the usability standpoint, this offers a GUI independant way of dealing with adding APT repos. Without it, if I want to get my customers to use apt, I need to either give them a script, make a program, get them to run around in bash, or write out the procedures for 5 different gui's (which is a pain). Thats not really a good solution


So really.. It actually enhances security, because Canonical aren't always 100% up to speed, and it makes life easier for coders.


It gets my vote EASILY. In fact, it also lets me easily roll out testing of my MenuToGo program, and allow users to automatically get their beta copy upgraded every day easily. ]]> Mon, 05 May 2008 07:53:21 +0000
APT-URL doesn't go and execute remote code..]]> Mon, 05 May 2008 08:18:08 +0000 Tue, 17 Jun 2008 17:22:54 +0000 @Auzy
You are right, it is ALSO an attack vector. I am working for an anti-virus company and currently most of the malware infections are caused by drive-by-downloads (no user interaction) or other infected homepages with very low user interaction.
Using apt-url with repos a forum entry would suffice to trick users into clicking the link and entering his password.

"Here is a fix for your driver problem"
automatically spread through linux forums...

And forums can be hacked easily.

The more user interaction needed to harm the computer the more time the user has to ponder his decission.

...well...i have to add this repository...why ? and then I will download the program...the signature is not accepted...

?]]> Wed, 19 Nov 2008 19:48:10 +0000