Shall we support the autorun feature?

Tue Jan 4 09:43:02 CST 2005

Hi!

Martin Alderson [2005-01-04 14:37 +0000]:
> Why? Because it's vital things like this are done as 'across the
> board' as possible. If not, we are going to see it splinter and
> fragment, with commercial (off-the-shop-shelf) software only naming
> those distributions that include this support as compatible.

Well, if they rely on such features, then I don't think that this
would be too bad. The primary idea of different distributions is to
make things differently, so I don't want to implement this equally on
all distros just for the sake of it.

> It also improves the user experience by miles. Look at how hard it is
> for the average user to install a game. On Windows it's insert the CD
> and click next. On Linux it's open terminal, goto root, type some
> cryptic command with symbols that users do not use normally, and hope
> it works. This is not acceptable.

This is the fault of the game vendor. If they provide an apt source,
then package installation can't be easier. 

> What I suggest is a confirmation dialog that pops up, asking if the
> user wants to run the script (possibly word it as an installer program
> or similar) or browse the files on the CD.

I would find this annoying. I don't want to see such a dialog each and
every time I insert a CD that happens to have an autorun file. And if
the user has to click in a confirmation dialog anyway, why not just
have him click on a "setup" or "install" script in Nautilus? This is
far more obvious (that he executes something from CD) and not more
complicated IMHO.

> They are going to notice it because they have just done an action -
> insert the CD - and will expect a reaction - some new thing to happen
> - when they look up at the screen.

A nautilus window will pop up for the CD, so there is something
happening.

> As for the security issue, please... what sort of issues could you get
> from this? Someone mails you a CD in the post (like AOL) and you
> insert it and get all of your files deleted? 

Theoretically this is possible. I never inserted an AOL CD by the way,
so I cannot tell :-)

> Look at Windows, this has been implemented since at least '95 and I
> don't think there has been a security issue ever arising from it. 

I did not hear about any, but not every "my so-called friend gave me a
CD and it nuked my computer" incident gets known publically. Second, I
would rather focus on a secure by default architecture, so to avoid
potential traps whereever possible.

> Maybe we should focus on the very
> real issue of getting an easy to use update manager to patch systems,

apt-get and synaptic are not easy enough? Incidentially an even easier
system is already in preparation (ask Michael Vogt :-) ). You don't
need the autorun feature for this.

Thanks and have a nice day!

Martin
-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050104/893261fc/attachment.pgp