[packagekit] FOSScamp discussion notes

Richard Hughes hughsient at gmail.com
Thu May 22 23:50:18 PDT 2008


On Thu, 2008-05-22 at 17:06 -0400, David Zeuthen wrote:
> On Tue, 2008-05-20 at 14:39 +0100, Richard Hughes wrote:
> > > - it would be nice to have PackageKit frontend for 1-click install
> > 
> > Talking to the Red Hat security guys they were very unhappy with this -
> > potentially many many problems with security. 
> 
> Can you, or these security guys, kindly explain how this is any
> different than being able to install any rpm from a website? The latter
> works just fine today...

Well, it's not the case of installing dodgy software, as we already let
the user do that with warnings and needing the root prompt. The issue is
that some developer creates a repo with a package with a higher epoch,
and then the fedora releases a critical security package (with an
updated version, but smaller epoch) and the package does not get
upgraded, leaving the user vulnerable.

There's also the scenario that the user installs some random repo, where
the developer pushes a few svn packages. The developer gets bored, and
stop produces updates, and then one of the packages could block on a
dependency, causing no further automatic system updates.

> > What primary usecases do
> > you think 1 click install will accoumplish?
> 
> Just look at how 1 click install is used today already.

I guess for people like you it would be quite useful "click here to
install my DeviceKit rpms" but them I would argue you should just get
them into rawhide :-)

I've not shut the door on 1-click, I just need some valid use cases.
Have you suse guys done any work on use cases for 1-click?

Richard.



More information about the PackageKit mailing list