On apturls and repositories
Vincenzo Ciancia
ciancia at di.unipi.it
Tue Jun 2 18:41:55 UTC 2009
Il giorno mar, 02/06/2009 alle 11.37 -0300, Derek Broughton ha scritto:
>
> I beg to differ. A user who is going to install software of dubious
> origins
> will install it whether it's "click-through" or not. You're merely
> annoying
> people who want to install known, reliable, software (virtualbox comes
> to
> mind - every time they issue a new release, I get a download link when
> I
> start it [and yes, I know I can actually add the URL to my
> sources.list -
> it's just an example]).
I think that making the process two-steps only affects usability: I can
do the same things, with the same authorizations, but I need to minimise
the firefox window, go to the desktop, find the downloaded file and open
it.
In any case, the apturl window *is* dangerous and users must know. It
does not matter how I do it, via javascript or providing a link, if you
click on a deb you get prompted for your root password. You're actually
providing a bridge for extraneous persons into your system. Nothing will
prevent that by making the process a bit harder.
A better idea would perhaps be to allow installing packages from apturls
or debs *only* if the key is already present in the system, that is, you
don't even add the source permanently if not.
Then, a smart user-friendly way to get the keys is clearly the way to
go.
Vincenzo
More information about the Ubuntu-devel-discuss
mailing list