corey.burger at gmail.com
Tue Mar 29 14:27:50 CST 2005
On Tue, 29 Mar 2005 21:17:05 +0100, Mike Hearn <mike at navi.cx> wrote:
> On Tue, 29 Mar 2005 11:46:22 -0800, Corey Burger wrote:
> > Probably for me the biggest reason not to allow autopackage has to do
> > with trust and security.
> Well, this comes up a lot but I think it's not really accurate. See here:
> I don't think it's worth trying to "educate" users that software does not
> come off the internet. Firstly even when using apt, it clearly does -
> there is a download progress bar. You would have to try and teach users
> that one bit of the internet - your bit - is good, whereas everywhere else
> is bad. That'd be a hard sell.
How is that hard. You tell users that these apps (synaptic,
gnome-app-install) are safe. To a lot of people, the internet is that
blue E thing on their desktop.
> Secondly, it doesn't provide any real security, just the illusion of it.
> Spyware and malware does not exist on Windows if you only use open source
> software (and avoid bug-ridden programs like IE), because developers
> bundle this stuff to provide them with a revenue stream from "free"
> programs. That's something Free software does not need. But, Ubuntu does
> not ship this type of commercial software anyway.
Autopackage does not deal with the fact that people will be bundling
this kind of cruft and junk once linux gets popular.
> So the core of your argument is that if something isn't in apt, it can't
> be installed at all. That clearly isn't true, actually it's quite easy,
> you can just provide the user with a Loki Setup, custom shell script, XPI
> or yes ... an autopackage.
But I am saying that if you teach users that only apt is safe, then
there is much less likelyhood that they will get malware through their
> If you want to avoid spyware/malware then your best bet is a two pronged
> 1) Ensure users needs and desires can be met using free software. That's
> not just boring business apps, that means pretty screensavers and
> oddball XMMS plugins too.
> 2) Implement some kind of distributed SSL-style whitelisting network.
> There is more discussion of that in the FAQ.
> The Linux community already has a pretty good head start at (1), but (2)
> is non-existent.
> thanks -mike
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
More information about the ubuntu-devel