[packagekit] Res: One click install support in PackageKit

Dan Kegel dank at kegel.com
Tue Mar 24 04:44:43 PDT 2009


On Tue, Mar 24, 2009 at 1:28 AM, Richard Hughes <hughsient at gmail.com> wrote:
> On Tue, 2009-03-24 at 06:49 +0530, Debayan Banerjee wrote:
>> 2009/3/24 Daniel Nicoletti <dantti85-pk at yahoo.com.br>:
>> > Hi, i think you would like to take a
>> > look at http://packagekit.org/pk-faq.html#1-click-install
>> >
>>
>> So should I forget about this project totally?
>
> No, if you are able to address the security concerns, then I think it is
> very worthwhile. The easiest thing to do is just copy the suse reference
> OCI implementation which in my opinion is horribly insecure.
>
> Also, I think someone in google tried to do this a few months ago;
> probably worth searching the archives for links. Thanks,

Yeah, that was me and a summer intern, Dorian Perkins.
You can see a tarball of his work at
http://www.cs.ucr.edu/~dperkins/projects/pk-oci/

The approach we took was to not allow adding new
repositories via oci -- the most we did was enable
existing repositories that were disabled.  He
didn't get very far, but he does have a demo of
how to do an oci-like thing with the PackageKit C
api.

I still think this is worth working on.  There are
many things that could be done to provide
some security.   See also
https://lists.linux-foundation.org/pipermail/packaging/2008-October/000842.html
and the resulting discussion (some of which is elsewhere, e.g.
http://duncan.mac-vicar.com/blog/archives/414 )

There isn't going to be any consensus from just
talking about this; what's needed is to try out some
of the existing ideas.
- Dan



More information about the PackageKit mailing list