Auto Package

Mike Hearn mike at
Tue Mar 29 14:17:05 CST 2005

On Tue, 29 Mar 2005 11:46:22 -0800, Corey Burger wrote:
> Probably for me the biggest reason not to allow autopackage has to do
> with trust and security.

Well, this comes up a lot but I think it's not really accurate. See here:

I don't think it's worth trying to "educate" users that software does not
come off the internet. Firstly even when using apt, it clearly does -
there is a download progress bar. You would have to try and teach users
that one bit of the internet - your bit - is good, whereas everywhere else
is bad. That'd be a hard sell.

Secondly, it doesn't provide any real security, just the illusion of it.

Spyware and malware does not exist on Windows if you only use open source
software (and avoid bug-ridden programs like IE), because developers
bundle this stuff to provide them with a revenue stream from "free"
programs. That's something Free software does not need. But, Ubuntu does
not ship this type of commercial software anyway.

So the core of your argument is that if something isn't in apt, it can't
be installed at all. That clearly isn't true, actually it's quite easy,
you can just provide the user with a Loki Setup, custom shell script, XPI
or yes ... an autopackage.

If you want to avoid spyware/malware then your best bet is a two pronged

1) Ensure users needs and desires can be met using free software. That's
   not just boring business apps, that means pretty screensavers and 
   oddball XMMS plugins too.

2) Implement some kind of distributed SSL-style whitelisting network.
   There is more discussion of that in the FAQ.

The Linux community already has a pretty good head start at (1), but (2)
is non-existent.

thanks -mike

More information about the ubuntu-devel mailing list