[packagekit] PPA + Servers

Matthias Klumpp matthias at nlinux.org
Sat Jul 23 08:41:35 PDT 2011 

Hi there! :)

On Fri, 22 Jul 2011 21:09:51 -0400, Martin Owens <doctormo at gmail.com>
wrote:
> [...]
> Any package in any archive could have malicious code in it. When we
> trust a package archive we're trusting the archive maintainers to keep
> the archive clean of malicious packages and fairly cruft free.
> 
> This trust we place in the archive maintainers extends in two forms. We
> trust them morally, that they will do the right thing and not abuse
> their position of power committing crimes. And we trust their competence
> at being good at checking packages work.
> 
> None of this type of languages exists in Debian or Ubuntu when a user
> adds a PPA or other archive to their lists, or when they add a key. The
> key adding process is done automatically if you use apt-add-repository
> or worse, it's done tangentially if you use apt-key. this of course
> offers no opportunity for the user to be educated about the implications
> and of course offers no real friendly identifier to exactly who it is
> who is being trusted with root access. (I assume good policykit
> configuration would prevent some root things from happening)
I blogged about this some time ago, and you're right in everything you
say. These are the reasons why I hate the concept of PPAs and think they
should be replaced by a safer solution, which also should be more
user-friendly.

> Overall as a community I believe we have failed to identify the core
> designs of identity, relationship and trust and certainly failed to
> bring any of this functionality over to gui users via apis. What users
> need is to be able to manage their relationships, not their keys. They
> need to be able to identify and sanctify trust and if possible, verify
> the relationship with other people in their community before they trust
> them.
> 
> Overall, I don't think we can solve some of the "App Store" trust issues
> without first solving some of the deeper GnuPG, identity and signing
> concept design issues first.
I don't think this is necessary. The existing stuff GnuPG provides is
already good enough.
I currently develop a cross-distro solution which could make 90% of all
PPAs obsolete one day.
Therefor, I'm using this dialog as orientation to display useful
information about trust and package security:
http://blog.tenstral.net/wp-content/uploads/2011/06/zeroinstall-security-dlg.png
This ZeroInstall dialog is already excellent, the information provided
should be enough to make users able to decide if they want to install a
package.

Thanks for this mail, you really hit the spot on that! (with exactly the
same argumentation I argue against PPAs since they started them... ^^)

On Fri, 22 Jul 2011 19:20:23 -0400, Jean-Pierre Vidal Piesset
<jpxsat at gmail.com> wrote:
>>  I was just wondering how can i add a new ppa using the
gnome-packagekit
>>  UI
> Thanks Richard for answering.
> 
> IMHO the lack of being able to add a new ppa (even if it can be a
security
> problem according to your words - i did have no idea about this) could
be a
> deal braker for users that like packagekit, i explain: Linux users are
> generally willing to test new and rough software, and some other times a
> big
> improvement is made on the "next version" of the app... and the simplest
> way
> to do that is through a ppa.
Hi Jean-Pierre :)
Yes, and that is - unfortunately - true and the reason why I develop a
different solution at time which is far from beeing ready. (But it will be
ready-to use by the end of this year, I hope)

> Maybe you could add the option for it in the
> "Software Sources" BUT in the moment that this will be done, packagekit
> sends a warning about the risks, just an idea :) -- this way, maybe
> packagekit could capture more users!
I'm not sure Richard will like this :D But since you're considering
GNOME-PackageKit as Lubuntu's default component, I might be able to help.
I am the maintainer of GNOME-PackageKit and PackageKit on Debian and
Ubuntu. Synaptic and the USC use an application named
"software-properties-gtk" to manage software sources etc. We could easily
add a downstream patch to GNOME-PackageKit to execute
"software-properties-gtk" as root instead of showing GPKs own dialog. This
would match the current behavior of Synaptic.

> There is another point that i wasn't able to find: how can i change my
> download server?
You can use "software-properties-gtk" for that... I'm not sure if
PackageKit supports that at time, unfortunately I'm not on my development
machine to check this out right now.
But if this functionality is missing, it would be good to add it. (but I
think it's there)

> I'm asking and suggesting all of this because it has been suggested that
> *maybe* packagekit + gnome-packagekit could replace Synaptics in
Lubuntu,
> and in order to do so those two points are important for users of *buntu
> distros -- and Linux users in general.
Of course :) Please stay in contact with us!
Cheers,
   Matthias

More information about the PackageKit mailing list