[packagekit] 1-click; Third party vendors; etc.

Klaus Kaempf kkaempf at suse.de
Mon Jun 2 11:45:05 PDT 2008

* Patryk Zawadzki <patrys at pld-linux.org> [Jun 02. 2008 20:05]:
> On Mon, Jun 2, 2008 at 7:22 PM, Klaus Kaempf <kkaempf at suse.de> wrote:
> > Please explain how this is different from the usual 'rpm for
> > distribution XYZ -> download here' links posted on project websites.
> It's just as bad.

Ok. So you're discouraging any rpm downloads from project sites, right ?
Then any distribution available for download might also be bad as soon
as it runs on your machine / behind your firewall.
I agree that this is a problem to be solved, see below.

> > Users click there, download and install it. Installation is done as
> > root and the package can run all sorts of bad things in it %post
> > section.
> > The only difference I can see is that between download and install,
> > you can inspect the package binary and look at the scripts within. Do
> > people do this ?
> Do people download and install random rpm packages? Probably yes.
> Should they? I think not.

Random packages ? Certainly not.

Question is, how can one define and ensure a trust relationship between
the site offering the package and the user ? How can PackageKit support
this trust relationship ?


More information about the PackageKit mailing list