Apt repository interoperability (was: Bug#311188: Debian edu messed up my Ubuntu system.)

Herman Robak herman at skolelinux.no
Mon Apr 21 18:41:03 BST 2008 

On Mon, 21 Apr 2008 16:42:21 +0200, Caroline Ford  
<caroline.ford.work at googlemail.com> wrote:

> On 21/04/2008, Andreas Tille <tillea at rki.de> wrote:
>
>> So you would like to file a wishlist bug to the Ubuntu BTS that
>>  users should be warned if they include Debian related apt lines??
>>  I'm keen on hearing what Ubuntu developers says about this. ;-)
>
> Actually Ubuntu users are very good at installing random repositories
> (especially from the forums) and complaining when it doesn't work.
>
> We have lots of bug reports connected to this, especially when
> upgrading, but also errors people get from having lines like wget foo
> in sources.list.

  Thanks for the empirical input: It's a fact that many users do this.
This is a potential burden on the community (support, reputation ...)


>>  > Repositories that look alike on the surface may or may not play nice
>>  > with each other.  They may be binary incompatible.  Their maintainers
>>  > may not endorse (i.e. support) other repositories that are intended  
>> to
>>  > be binary compatible, either.  Users who add third party repositories
>>  > are left to figure out this for themselves.  It's as if adding an apt
>>  > repository is an expert operation; User Beware!
>
> They may be malware too.

  Indeed!  User beware.  Is there anything in place to help the user
assess the trustworthiness of a repository?


>>  > Apt is an awesome package manager framework.  It has a lot of power!
>>  > But it is a powertool with few safety features aimed at Joe Average.
>>
>>
>> But root is not Joe Average.  If Joe Average decided to become root
>>  he takes over some responsibility.  We can't help here if he has
>>  not read the docs before.
>
> Desktop users are generally roots on their own machines. You can't
> install software any other way. Jo Average has to have sudo or her
> machine is much less usable.

  Actually, Debian users have to install software, too.  I don't expect
most of them have all they need right after the base installation has
finished.  And I don't exptect Joe Average to morph into a different
personality every time he uses su to become root, because he needs to
install something.  He is still Joe Average, with a root prompt.


> Our userbase loves to experiment, this is why they are using Ubuntu
> rather than sticking with being windows power users. However once you
> leave the handholding (and restrictions) of gnome we don't necessarily
> have the educational resources to stop them breaking everything
> totally. Some of this is the forums, but would a large warning in
> sources.list help?

  Alas, a "don't touch this unless you know what you are doing" will be
like crying "wolf!" here.  Maybe the user isn't all that afraid of
breaking the system.  Reinstall is easy, and recent converts from
Windows will not be embarrased by resorting to that. ;-)
  No, I think the more sinister threats are relevant: Your machine may
be 0wnded, and your data destroyed or compromised.  Ultimately your
machine may be usurped by criminals, which can hurt other people, too.
And that will be YOUR fault.
  The above is true, and quite obvious.  But users don't really want to
hear and believe that.  They need to be humbled first.  And I don't
believe Debian nor Ubuntu has the manpower to humble them quite enough.


> We are good at telling people that windows is unsafe, and most of our
> users would never dream of running windows without an antivirus and
> firewall, and wouldn't open random attachments etc. However as soon as
> they get on 'virus-free' Ubuntu they behave in a very unsafe way.
> Condoms for the userbase? People don't know how unsafe installing
> random repos is. Maybe it'll take a disease outbreak for the message
> to get across (alas).

  You won't like to hear this ...

  The message will never come accross to everyone.  There will always
be a significant minority who don't get it.  Go ahead and read "The
Six Dumbest Ideas In Computer Security" by Marcus Ranum.  Skip to
point #5, "Educating Users".

http://www.ranum.com/security/computer_security/editorials/dumb/


  As long as Debian has a "desktop" item in the installer, the PEBKAC
cathegory _will_ be our problem, too.

-- 
Herman Robak

More information about the ubuntu-devel mailing list