Written by alexandervanhoorn the 11 Jul 09 at 10:38.

No popup or anything, just add something like "Warning: Don't install packages from untrusted sources" in gdebi.

It's not annoying or obtrusive.

Awareness is necessary.

No popup or anything, just add something like "Warning: Don't install packages from untrusted sources" in gdebi. It's not annoying or obtrusive. Awareness is necessary.

Written by alexandervanhoorn the 11 Jul 09 at 10:45.

This will not be an entire solution, but if we provide easier access to newer (unstable) versions, users are less likely to get their packages from untrusted websites.

By easier I mean easier than adding a ppa repository and adding a pgp key via synaptic.

For example: installing pidgin 2.5.8 in Jaunty should be possible from synaptic when it's available, instead of keeping people tied to 2.5.5 for half a year.

This will not be an entire solution, but if we provide easier access to newer (unstable) versions, users are less likely to get their packages from untrusted websites. By easier I mean easier than adding a ppa repository and adding a pgp key via synaptic. For example: installing pidgin 2.5.8 in Jaunty should be possible from synaptic when it's available, instead of keeping people tied to 2.5.5 for half a year.

Written by Stebalien the 6 Aug 09 at 04:28.

Different repositories would "own" packages:
1. Ownership would be set in a file such as /etc/apt/ownership/.list
2. A special system packages file would be created that would designate system packages (sudo, pam etc...).

Apt repositories would have permissions:
0. Ultimate Trust: Update and Install packages from this repository regardless of ownership including system packages
1. All: Update and Install new packages from this repository regardless of ownership (except system owned packages).
2. Owned only: Update and install only owned packages.
3. No Updates: Install owned packages from this repository but do not download updates from it.

Flags:
1. Warning: There would be a warning flag that a user could set on a repository that would warn when packages are updated or installed from that repository.
2. System: There would be a system flag that could be set on security related packages (sudo, bash etc...) that would prevent all but "Ultimate Trust" repositories from installing/updating them.

Different repositories would "own" packages: 1. Ownership would be set in a file such as /etc/apt/ownership/<Repository Key Fingerprint>.list 2. A special system packages file would be created that would designate system packages (sudo, pam etc...). Apt repositories would have permissions: 0. Ultimate Trust: Update and Install packages from this repository regardless of ownership including system packages 1. All: Update and Install new packages from this repository regardless of ownership (except system owned packages). 2. Owned only: Update and install only owned packages. 3. No Updates: Install owned packages from this repository but do not download updates from it. Flags: 1. Warning: There would be a warning flag that a user could set on a repository that would warn when packages are updated or installed from that repository. 2. System: There would be a system flag that could be set on security related packages (sudo, bash etc...) that would prevent all but "Ultimate Trust" repositories from installing/updating them.