[packagekit] ServicePack: The magic file

Thu Mar 27 20:38:52 PDT 2008

On Thu, 2008-03-27 at 17:54 +0000, Richard Hughes wrote:
> Yes, that's the plan also, see
> http://lists.freedesktop.org/archives/packagekit/2008-March/002434.html

Just echoing what I said on IRC wrt. this topic:

It seems like you want to achieve two things here

 1. Automatically enabling repositories when suitable media is inserted.

 2. Use this functionality for service pack updates.

As 2. is mostly a subset of 1., I'll focus on 1. only

First: the golden rule is that mechanisms are policy-free. What you are
proposing is adding a bit of policy into the PackageKit mechanism. By
making it be "helpful" and automatically add software sources.

 - Annoyance: it is potentially annoying when software is trying to be
   too smart. Such as automatically adding repositories behinds one
   back without any user consent. Suppose I'm running the latest Fedora
   or whatever distro and I have a fat pipe where I get my updates from.

   Now for some reason I insert some media (maybe it's CD from a
   magazine; maybe it's some hard disk a friend gave me) and the
   PackageKit system daemon "helpfully" adds the repository. The next
   time the daemon runs (which sometimes it does by itself to check
   updates) it reads my media. This is not what I want when I have a fat
   pipe. I was never asked if I wanted this (no, just putting up a
   notification doesn't help.)

 - Security: I'm not sure you should be adding repositories without the
   users consent.

 - Complexity: it's a lot of extra code to add for this.

So instead of all this complexity, I'd suggest that the only thing you
do is

 - Make it easy for users to use Repository Viewer (also called Software
   Sources in the menus <-- confusing!) to add repositories on media.
   You need this feature anyway.

 - Work with people actually producing media (e.g. the distro) so it's
   easy to detect such media via an x-content/* handler (e.g. well-known
   signatures (files and directories) on the media).

 - Use the x-content/* machinery to start Repository Viewer with an
   option to automatically add the media as a repo source.

This makes it extremely transparent to the user what is going on. No
repos are automagically added without the user knowing what is going on.
The user is prompted and reminded that the media contains packaged
software. He gets to decide whether it should be added or not.

Implementation-wise this is even simpler. You don't need to pollute the
main daemon with extra code or dependencies.

And the result is pretty much the same.

Finally. I don't mean to flame but there are already enough bugs in
PackageKit and what the functionality you're trying to add makes it even
less transparent what's going on. It is hardly the time to add more
features that are a) hard to figure out; and b) introduces nasty
security issues.

Hope this helps. Rock on.

      David