Ubuntu MATE's Software Boutique and third party sources
Jeremy Bicha
jbicha at ubuntu.com
Tue Feb 20 20:46:40 UTC 2018
Hi,
My understanding is that the Ubuntu Technical Board has a
long-standing policy against enabling PPAs without a formal exception.
For background, a request to enable a Unity 8 PPA for 16.04 LTS users
was denied. See LP: #1585362
Software Boutique
-----------------------
Ubuntu MATE for several releases has shipped a Software Boutique app
(source package is ubuntu-mate-welcome). While it respects the letter
of the policy (Ubuntu MATE does not enable PPAs by default), the UI at
least bends the interpretation of the policy.
It's fairly easy to try out even without installing Ubuntu MATE. Just
grab the 17.10 iso (the 18.04 version of the app hasn't been fully
updated for available sources) and run System> Administration>
Software Boutique. (The Boutique app is also promoted as part of the
Welcome app experience after install).
There is a large amount of software available for install, some of it
comes directly from Ubuntu. Others are not part of Ubuntu at all. A
user could easily install the Brave web browser and be unaware that
they have enabled a third-party software source and unaware of the
consequences of doing that.
The prominent "Retrieve the latest software listings" link (once
"Apply Changes" is clicked) enables the Ubuntu Mate Welcome PPA.
Consequences
-------------------
It's a lot of third-party sources that are not vetted or monitored by
anyone except for the Ubuntu MATE developers.
My understanding is that all third-party sources are disabled on
upgrade by ubuntu-release-upgrader and not re-enabled afterwards. This
is a serious problem. For instance, a user could install Brave in
17.10 and a few months later, upgrade to 18.04 and then not receive
any security updates for Brave any more.
Also, the Ubuntu upgrader does not run ppa-purge which could cause
issues on upgrade. I don't know if it affects any of the Boutique
apps, but it is a problem for some types of repos.
I think many Ubuntu developers and contributors would consider a
system with a significant number of third-party repositories like that
to be in an unsupported state. (??)
Informed Consent
----------------------
During install of those apps, the app does not directly explain to
users what they are doing and where the software is coming from.
There is a details button next to the Install button that does mention
the source.
Other Background
-----------------------
I had assumed that the Tech Board was aware of the Software Boutique
and had generally approved it. I do feel a bit uncomfortable with
bringing up a topic that could take away one of Ubuntu MATE's popular
features, and I didn't really feel doing so was my responsibility. I
believe Iwas mistaken on some of those points, but it explains why I
hadn't written this list sooner.
I (very) briefly discussed this app and the possible TB concerns with
Martin Wimpress a long while ago.
Conclusion
--------------
Therefore, I propose this topic for the next Technical Board meeting,
which I believe is scheduled for February 27. I might not attend (I've
said quite a bit in this email already!)
Thanks,
Jeremy Bicha
More information about the technical-board
mailing list