On apturls and repositories

Vincenzo Ciancia ciancia at di.unipi.it
Tue Jun 2 18:41:55 UTC 2009

Il giorno mar, 02/06/2009 alle 11.37 -0300, Derek Broughton ha scritto:
> I beg to differ.  A user who is going to install software of dubious
> origins 
> will install it whether it's "click-through" or not.  You're merely
> annoying 
> people who want to install known, reliable, software (virtualbox comes
> to 
> mind - every time they issue a new release, I get a download link when
> I 
> start it [and yes, I know I can actually add the URL to my
> sources.list - 
> it's just an example]).

I think that making the process two-steps only affects usability: I can
do the same things, with the same authorizations, but I need to minimise
the firefox window, go to the desktop, find the downloaded file and open

In any case, the apturl window *is* dangerous and users must know. It
does not matter how I do it, via javascript or providing a link, if you
click on a deb you get prompted for your root password. You're actually
providing a bridge for extraneous persons into your system. Nothing will
prevent that by making the process a bit harder. 

A better idea would perhaps be to allow installing packages from apturls
or debs *only* if the key is already present in the system, that is, you
don't even add the source permanently if not.

Then, a smart user-friendly way to get the keys is clearly the way to


More information about the Ubuntu-devel-discuss mailing list