On apturls and repositories

Dylan McCall dylanmccall at gmail.com
Mon Jun 1 16:48:26 UTC 2009


Sounds like the discussion at UDS about having support for adding
repositories (or at least PPAs) via apturl didn't get very far. At risk
of prolonging a stalemate, I get the impression blocking this idea for
safety reasons is completely pointless.

Someone can 'easily' add a repository to a user's system (be it
maliciously or not) through the following means:
      * A .deb package that adds a repository to sources.list.d
      * A .list file (in the format of sources.list, for example) which
        is then automatically handled by Software Sources administration
        (software-properties-gtk).

There is therefore no security gain in apturls not doing repositories.
All it takes is a simple file that the user downloads and opens to get
the same thing happening.

...is this maybe going a bit off base? There are already two methods for
adding repositories and apturl doesn't strike me as the right design for
listing public keys to import. (At least not without generating a
horrifying abomination of a URI). And if it doesn't import public keys
with some reasonable automation, it will not work for PPAs.

Now, discuss :)


-- 
Dylan McCall <DylanMcCall at Gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20090601/588f80e8/attachment.pgp>


More information about the Ubuntu-devel-discuss mailing list