[packagekit] Res: One click install support in PackageKit

Debayan Banerjee debayanin at gmail.com
Wed Apr 1 13:43:24 PDT 2009


2009/4/1 Richard Hughes <hughsient at gmail.com>:
>
> I don't think popularity can be inferred from trust or vice versa. If
> you digg a link to the "new* nvidia drivers you'll have thousands of
> hits to your repo, instantly making it popular (and in your scheme,
> trusted). There's no trust there, as the new nvidia driver could has a
> keylogger shipped with the package, which took a few days for someone to
> find.

1) The 3rd party repository page will be ranked by trust votes. This
page will be ranked by user votes, and not by Fedora admins. People
will know to trust only this particular page for their packages. If
Fedora hosts a certain service its rankings in Google search will far
surpass that of a 3rd party repo i guess.

2) There is no scope in this case for diggs. The ranking will not
reflect diggs. That would influence Google search rankings, not the
distro hosted rankings. Over time (and this time will be very short)
people will know that the distro based rankings are the one to follow.

3) Hiding a key-logger and people not noticing it in a few days can
happen in all conditions. Whether you host the rankings or not. Fedora
users will still be vulnerable since they will still go ahead and add
Adobe and vlc repositories anyways.

>
> There's always the "bored developer" problem too. A developer picks up a
> bit of software, packages it, and puts it in an archive. After a few
> months the developer stops re-packaging it, which means if the upstream
> repo changes from one version of a library to another, the update only
> half completes, and the system library is stuck at a low version until
> the package is removed or updated.

Well in that case a user shall remove the package (or maybe even the
repository) and install the newer updated repository. However I admit
I did not think of this problem before.
It can still happen. Say I download GIMP and create an updated GIMP
version and host it on my own server and repository. I have a better
GIMP and users dont add me and dont use me. But I exist. People then
come to know about me and add me and install me, but the original
bigger, better repo is still there.
What I mean is the bored developer problem will not affect people
since most people have the default repos enabled by default and then
add some extra repos. That means all the standard packages will have
atleast one standard repo listed.

>
> Richard.
>
>
> _______________________________________________
> PackageKit mailing list
> PackageKit at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/packagekit
>



-- 
Be Intelligent, Use GNU/Linux

http://debayanin.googlepages.com/
http://debayan.wordpress.com
http://lug.nitdgp.ac.in



More information about the PackageKit mailing list