[packagekit] FOSScamp discussion notes

Sebastian Heinlein glatzor at ubuntu.com
Fri May 23 02:30:11 PDT 2008


Am Freitag, den 23.05.2008, 08:17 +0100 schrieb Richard Hughes:
> On Fri, 2008-05-23 at 09:04 +0200, Klaus Kaempf wrote:
> > * Richard Hughes <hughsient at gmail.com> [May 23. 2008 08:51]:
> > > 
> > > Well, it's not the case of installing dodgy software, as we
> already let
> > > the user do that with warnings and needing the root prompt. The
> issue is
> > > that some developer creates a repo with a package with a higher
> epoch,
> > > and then the fedora releases a critical security package (with an
> > > updated version, but smaller epoch) and the package does not get
> > > upgraded, leaving the user vulnerable.
> > 
> > How's that any different from 'normal' package installs and
> updates ?
> > Does PackageKit, or any other package management software, prevent
> > this today ?
> 
> Well, if I use my distro provided repos then there's a pretty certain
> guarantee that things won't break mid-cycle like that. I do see your
> point tho.

It is about keeping a technical barrier.

In Ubuntu apt url was introduced. If you click on an url e.g.
apt://packagekit an installer will start and install packagekit from the
Ubuntu repositories.

Allowing to easily add third party repositories and install third party
software without a certification infrastructure is like opening the
gates to hell. Most user just don't have got the technical understanding
to handle this well.

The Ubuntu way seems to be a good compromise.

Cheers,

Sebastian




More information about the PackageKit mailing list