On apturls and repositories

Martin Owens doctormo at gmail.com
Wed Jun 3 15:54:42 UTC 2009

On Tue, 2009-06-02 at 11:51 +0200, Alexander Sack wrote:
> In fact there was a second apturl session during UDS (which you didnt
> attend unfortunately);

Yea sorry about that, too many sessions going on, although I did talk
with people directly after the session and I was happy enough with the
decisions being made. 

> in that session we basically reached consent on
> what i already suggested in the first session: to go for the currently
> suggested explicit apturl third party process while making it easier
> to enable PPAs in karmic (like: automatic key exchange and general
> improvements in software sources/app-center).

It'll still ask to add an apt-source though right? password box?
wouldn't want mistaken clicks to add xorg-bleeding-edge.

> >From what I see at a first glance your mockups look useful and should
> be considered when designing the improved PPA user experience in
> app-center/software-sources. However, imo they don't prevent users from
> getting tricked into single click installs. Also you use gpg to
> express trust in software quality, while gpg is designed for expressing
> trust in identities; this was also pointed out in your blog post
> comment [1] and should definitly be addressed somehow - most likely by
> not using gpg, but some launchpad mechanism to express trust in
> quality in PPAs.

It's a tricky problem, qualitative assessment of launchpad PPAs would
need a launchpad mechanism of 'confidence' (as opposed to identity
trust) which would give that system a much better foundation. On the
other hand it'd be nice if the technology were open to none launchpad
sources too. And although GPG only brings identity trust, it does allow
you to bridge from knowing who someone is into knowing what they think
of the subject for consideration. I wouldn't dismiss using gpg for
identity management which is still important for distributed systems
where you have to quantify things against a person (even if that value
if technical confidence).

Regards, Martin

More information about the Ubuntu-devel-discuss mailing list