Shall we support the autorun feature?

[Martin Alderson]

On Tue, 4 Jan 2005 16:43:02 +0100, Martin Pitt
<martin.pitt at canonical.com> wrote:
> Hi!
> 
> Martin Alderson [2005-01-04 14:37 +0000]:
> > Why? Because it's vital things like this are done as 'across the
> > board' as possible. If not, we are going to see it splinter and
> > fragment, with commercial (off-the-shop-shelf) software only naming
> > those distributions that include this support as compatible.
> 
> Well, if they rely on such features, then I don't think that this
> would be too bad. The primary idea of different distributions is to
> make things differently, so I don't want to implement this equally on
> all distros just for the sake of it.

Of course, it should make _some_ things differently. But things like
autorun on CDs should work across the board as possible, and at least
on all GNOME-defaulting desktop distro's.

> > It also improves the user experience by miles. Look at how hard it is
> > for the average user to install a game. On Windows it's insert the CD
> > and click next. On Linux it's open terminal, goto root, type some
> > cryptic command with symbols that users do not use normally, and hope
> > it works. This is not acceptable.
> 
> This is the fault of the game vendor. If they provide an apt source,
> then package installation can't be easier.

WTF? Sorry, but an apt source is incredibly difficult. How does this
work? You have to edit sources.list as root, with a command line text
editor (since there is no way yet to use Gedit or similar to run as
root, that I know of, without opening the terminal), learn how to use
it, save it, _then_ learn a cryptic set of commands to install (yes,
sudo apt-get install gamename is cryptic if you don't know what you
are doing). This is totally not suitable for this. Are you suggesting
that all the people who just want to buy software from WalMart and
install 'Stitch Sewing 2004' have to learn how to use the terminal?
Not good enough. I'm sure you are going to suggest synaptic but it is
a simply scary app for most people, very cluttered and confused (for
the newbie) and it would be very easy to break your system by
accidently removing GNOME or something stupid with it.

> > What I suggest is a confirmation dialog that pops up, asking if the
> > user wants to run the script (possibly word it as an installer program
> > or similar) or browse the files on the CD.
> 
> I would find this annoying. I don't want to see such a dialog each and
> every time I insert a CD that happens to have an autorun file. And if
> the user has to click in a confirmation dialog anyway, why not just
> have him click on a "setup" or "install" script in Nautilus? This is
> far more obvious (that he executes something from CD) and not more
> complicated IMHO.

Right, well have a checkbox - 'remember this action in the future' and
you can either always have the file browser remember to run the script
or open the file browser.

The problem with asking the user to explicitly click a script is that:

a) If it's cross platfrom it may very well have multiple install
scripts, and if WINE is installed by default in the future it would be
very easy to click install.exe and try and install the windows version
or similar.
b) Most CDs are laid out very badly, with big data files strewn in the
root. It could be very hard to look through 100s of files to find one
install script one.
 
> > They are going to notice it because they have just done an action -
> > insert the CD - and will expect a reaction - some new thing to happen
> > - when they look up at the screen.
> 
> A nautilus window will pop up for the CD, so there is something
> happening.

Yes, but the user doesn't usually want to view a load of techie
install files, he just wants to install it. Most users who insert a CD
with no picture/movie files will 99% of the time be installing
something (this isn't really the case now as Linux has very little
boxed software for sale but this will probably change in the future).

> > As for the security issue, please... what sort of issues could you get
> > from this? Someone mails you a CD in the post (like AOL) and you
> > insert it and get all of your files deleted?
> 
> Theoretically this is possible. I never inserted an AOL CD by the way,
> so I cannot tell :-)

Well, most ISP CDs open up, and either open a web browser window and
browse to their site signup process and configure the modem to use the
right phone number etc.

> > Look at Windows, this has been implemented since at least '95 and I
> > don't think there has been a security issue ever arising from it.
> 
> I did not hear about any, but not every "my so-called friend gave me a
> CD and it nuked my computer" incident gets known publically. Second, I
> would rather focus on a secure by default architecture, so to avoid
> potential traps whereever possible.

Yes, but let's face it: it's very unlikley that there would ever be
any problems from this. CDs are not good virus infection things, as
they are read only. I do not think it is a good idea to make things
much harder for the user on the notion there could be, possibly, one
or two cases of this. It is too much effort for most people when they
could just email them a shell script and get them to copy it.
> > Maybe we should focus on the very
> > real issue of getting an easy to use update manager to patch systems,
> 
> apt-get and synaptic are not easy enough? Incidentially an even easier
> system is already in preparation (ask Michael Vogt :-) ). You don't
> need the autorun feature for this.

Not at all, compared to Windows Update (especially in SP2). It is
almost totally transparent to the user.

> Thanks and have a nice day!
> 
> Martin
> --
> Martin Pitt                       http://www.piware.de
> Ubuntu Developer            http://www.ubuntulinux.org
> Debian GNU/Linux Developer       http://www.debian.org
> 
> 
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
> 
> 
> 
>