Apt repository interoperability (was: Bug#311188: Debian edu messed up my Ubuntu system.)

Herman Robak herman at skolelinux.no
Tue Apr 22 08:48:52 BST 2008

On Mon, 21 Apr 2008 09:42:38 +0200, Andreas Tille <tillea at rki.de> wrote:

> [Removed bug address from cc list because it blurs the log]


> On Sun, 20 Apr 2008, Herman Robak wrote:

>> Repositories that look alike on the surface may or may not play nice
>> with each other.  They may be binary incompatible.  Their maintainers
>> may not endorse (i.e. support) other repositories that are intended to
>> be binary compatible, either.  Users who add third party repositories
>> are left to figure out this for themselves.  It's as if adding an apt
>> repository is an expert operation; User Beware!
> But how to solve this technically???
> Patch any editor (including echo and cat that might  
> ">>/etc/apt/sources.list)
> to issue a warning about possibly dangerous results when you change
> the repositories?

  Use a file access monitor (FAM or something similar).  I know, popping
up a dialog saying "it seems you are adding an APT source" is awfully
Clippy-like.  Any less obnoxious suggestions?

> In how far is this action more or less dangerous as any other action
> done by root?

  It isn't.  It just happens to be pretty common. Because it is frequently
encouraged, by HOWTOs and other users.  Installing stuff is a very common
task, and Debian's walled garden doesn't have ALL the desired stuff.

  Joe Average should hardly ever need to become root.  But he has to become
root to install software.  There's your test: "When does Joe Average have
to become root?"

>> I don't think we want to advertise loudly the lack of such safety
>> features.  But unless we do, I think it is the duty of Debian and its
>> derivatives to improve the safety nets.
> How?

  I will not suggest quick fixes for this, because I don't think there
are any that would work well.  This is a design challenge.  Some thoughts:

1) Encourage the use of user interfaces to the APT sources list, instead of
  editing it.  Since those user interfaces are aware of the task they  
  good instructions can be given and safety measures are feasible.
  Nag the user who edits sources.list by hand (using FAM?)

2) Make APT pinning a prominent feature; maybe the default for 3rd party
  APT sources.

  I'm pointing out a problem.  Not because I have devised good solutions
for it, but because I think the problem is real.  I know this places me
in the "talkers" camp, who are less entitled to an opinion than the
"doers".  But I still want to say this for the record.

Herman Robak

More information about the ubuntu-devel mailing list