On apturls and repositories

Alexander Sack asac at ubuntu.com
Tue Jun 2 09:51:14 UTC 2009 

On Tue, Jun 02, 2009 at 12:53:24AM +0200, Martin Owens wrote:
> On Mon, 2009-06-01 at 09:48 -0700, Dylan McCall wrote:
> > Sounds like the discussion at UDS about having support for adding
> > repositories (or at least PPAs) via apturl didn't get very far. At risk
> > of prolonging a stalemate, I get the impression blocking this idea for
> > safety reasons is completely pointless.
> 
> The session was polite and we talked about everyone's views. Some of
> these choices are down to political background more than technical
> options. Although Alexander Sack didn't help by suggesting that the
> decision had already been made at All Hands.

FWIW, I didn't say that the decision was already made during allhands
- otherwise there wouldn't have been such a healthy discussion
:). Only thing I said was that there was lots of out-of-session
discussion up-front which probably led to a quick start of the whole
discussion in the first apturl session.

In fact there was a second apturl session during UDS (which you didnt
attend unfortunately); in that session we basically reached consent on
what i already suggested in the first session: to go for the currently
suggested explicit apturl third party process while making it easier
to enable PPAs in karmic (like: automatic key exchange and general
improvements in software sources/app-center).

> 
> As I said I would, I've compiled some mock-ups of what I was talking
> about with various people:
> 
> http://doctormo.wordpress.com/2009/06/01/ubuntu-apt-url-and-the-white-list/
> 
> I'm going to add the same to the whiteboard for the blueprint now.
>

>From what I see at a first glance your mockups look useful and should
be considered when designing the improved PPA user experience in
app-center/software-sources. However, imo they don't prevent users from
getting tricked into single click installs. Also you use gpg to
express trust in software quality, while gpg is designed for expressing
trust in identities; this was also pointed out in your blog post
comment [1] and should definitly be addressed somehow - most likely by
not using gpg, but some launchpad mechanism to express trust in
quality in PPAs.


[1] - http://doctormo.wordpress.com/2009/06/01/ubuntu-apt-url-and-the-white-list/#comment-1277

Thanks,

 - Alexander

More information about the Ubuntu-devel-discuss mailing list