AptFirefoxFileHandler
2648
Comment:
|
9930
|
Deletions are marked like this. | Additions are marked like this. |
Line 6: | Line 6: |
* '''Packages affected''': | * '''Packages affected''': A new package for this needs to be created == Summary == It should be possible to install software in a safe and supported way over a website. This allows us to provide more dynamic content and richer metadata (like screenshots, comments) than with traditional client applications and to better support Launchpad's new personal package archives. To achieve this, a new "apt://" protocol will be created that allows giving commands to apt/synaptic. == Release Note == The apt-firefox-archive-plugin feature allows users to install software via simple websites in a safe and supported way. == Rationale == People use to install software just clicking on a URL. Softonic, Tucows and others, list lots of applications that users can easily add to their Windows boxes. The linux way is not that easy. An Ubuntu distribution has got a defined repository with loads of software, but users need to use a specific software installer (gnome-app-install, synaptic) to add more software. == Use Cases == * Alfonso is asking a question on the Guadalinex forums. A support technician from Guadalinex team founds that his problem can be resolved by installing a single package. He posts an answer with a link to apt://unrar, and the user only has to click on it to solve his problem. * The Guadalinex team needs to provide their users with an up-to-date list of "extra software" which doesn't fit on the CD. The developers add a menu entry in the stable version of the distro that opens a webpage hosted on Guadalinex servers that can be easily updated, with links to apt://name_of_package * Pepe, an Ubuntu enthusiast, wants to write a Beryl HOWTO in his weblog. He easily adds links to the referred software with "apt://name-of-package" urls. * Celso has a launchpad PPA for his software. He wants to make it easy to add his repository and puts an apt protocol handler in for this. == Scope == The apt protocol should support the following actions: * install package from existing repository * adding new repository == Design == The default internet browser will call a external application whenever an apt:package_name url is clicked. It adds the complete url as an argument to that external application. The external application will then do the equivalent of apt-get install $package_name (using synaptic or adept_batch as its backend) The new protocol will follow http://tools.ietf.org/html/rfc3986 (STD66). In its easiest from, the new url will be formatted: {{{ apt:package_name }}} We are not linking a .deb file, just giving the name of the package to an external application. By default the syntax will be not hierarchical, but to stay compatible with Guadalinex a hierarchical argument will be supported as well (apt://pkg_name will also work). In addition to this, a syntax will be supported to install applications that come from repositories that are not in the current sources.list. This synatx will follow the following style: {{{ apt+http://launchpad.net/~mvo/ppa/test/?package=my-new-package?keyfile=ppa-key }}} The keyfile will be searched in /usr/share/app-install/channels. If no keyfile is given it is assumed that the repository is authenticated with the default key. If the repository can not be authenticated it will not be added and no packages get installed. If the repository is not already in the sources.list the UI will ask if the repository should be added permanently or just temporarily. The package is then installed. If no parameter is given it is assumed that the distro is set to "/". The line above expands to: {{{ deb http://launchpad.net/~mvo/ppa/test/ / }}} The parameters "dist=foo" and multiple "section=bar" are supported as well. So {{{apt+http://launchpad.net/~mvo/ppa/test/?package-my-new-pkg?dist=feisty?section=foo?section=bar}}} expands to a sources.list line like this: {{{ deb http://launchpad.net/~mvo/ppa/test feisty foo bar }}} Additional a parameter {{{minversion=x.y}}} will be supported. This enables us to build webpages about packages that describe new features and provide a quick "install now" link. If (for some reason) the minversion is not available the user will not be disappointed that the package he installed does not actually support the advised features. Example: {{{ apt:tuxracer apt+http://launchpad.net/~mvo/ppa/test?package=foo?minversion=1.0 }}} |
Line 10: | Line 107: |
* First at all, Firefox (or default browser) must be tweaked to recognize a new (invented) apt:// protocol. * When an apt:// url is clicked a piece of software must be triggered. Browser will pass the url to this application. * The application will call synaptic with a few parameters to download and install the package, including dependencies (/usr/sbin/synaptic --hide-main-window --non-interactive --set-selections-file /tmp/apt-packagename.tmp) |
* Firefox (and in the future other browsers like konqueror and epiphany) must be tweaked to recognize a new apt:// protocol. * When an apt: url is clicked a python application is triggered. The browser will pass the url to this application. * The application will display a dialog explaining what is going to happen and how much download is required. If the user confirms it will call synaptic or adept_batch (depending on the desktop environment) with a few parameters to download and install the package, including dependencies (/usr/sbin/synaptic --hide-main-window --non-interactive --set-selections-file /tmp/apt-packagename.tmp) |
Line 15: | Line 118: |
In Guadalinex, we have modified /usr/lib/firefox/firefox.cfg, and added a dirty perl script to parse the url, and call synaptic. | The handler will be installed into /usr/share/firefox/defaults/prefs/apt-archive-handler.js as an additional configuration file. The whole application will done as a new package with some python clue code (gapti/gdebi will be reused as much as possible or even merged if that is feasible). |
Line 17: | Line 124: |
Move the changes into /usr/share/firefox/defaults/prefs/apt-archive-handler.js as an additional configuration file. The whole thing should be a new package with some python clue code (maybe a modification of gdebi???)that will display information about the package and offer a dialog to install it. For installing synaptic will used as a backend. | A similar mechanism is implemented in Guadalinex, the file /usr/lib/firefox/firefox.cfg was modified to achieve the same goal, and a perl script was added to parse the url, and call synaptic. We will provide compatibility with their syntax. |
Line 19: | Line 129: |
== Outstanding Issues == - If a user is using a distribution, Debian for example, and the web points to a package that exists in ubuntu but not in debian, the script will fail. It has to notify the users that something went wrong. - Action suggestions: * Install Packages (apt://vim) or (apt://vim:install) * Install specific versions of package (apt://install:vim=1.2.3) * Add a new repository, i.e., PPA (apt://repository:deb http://ppa.launchpad.net/cprov/ubuntu main restricted universe multiverse) * How do you control "evil" uses of this? It's the same thing if anybody tells an newbye to execute "rm -rf", we cannot control that. But the user is not executing this, it's been automatically written in /etc/apt/sources.list. Well, the user must give his authorization to every change, and also his password.Ok * Update package list: apt://update * Upgrade and dist-upgrade distro: apt://upgrade apt://dist-upgrade * Remove a package: apt://emacs:remove |
The current set of commands is limited on purpose. Actions like "update", "upgrade", "dist-upgrade", "remove" look not useful or plain dangerous. We may expand the syntax later to support multiple packages separated by ",". |
Line 30: | Line 134: |
* very important that we keep backward compatibility with the schema from guadalinex * the primary target is the package, the first argument is always the package name, then more commands can be added after the first ";" |
== Security == |
Line 34: | Line 136: |
== BoF agenda and discussion == | With the above design the security implications are small. All software comes from trusted repositories, it is only possible to add repositories that have a keyfile that is already available in ubuntu already (e.g. in the app-install-data-commercial package). |
Line 36: | Line 141: |
Guadalinex svn: | A possible attack vector would be to trick users to install a application with a known vulnerability or to install applications that open a port. |
Line 38: | Line 145: |
== Future Work == The approach to allow only adding repositories with already available keys limits this protocol for third party vendors. We could consider extending the specification in the future to have a command like "add-repository-unsafe" if that is a desired goal, or have a new apt-protocol: handler. == Releated Work == A similar approach using a command file instead of a protocol: https://wiki.ubuntu.com/ThirdPartyApt and https://wiki.ubuntu.com/GAptI. The svn for the Guadalinex implementation: {{{ |
|
Line 39: | Line 160: |
}}} | |
Line 41: | Line 163: |
== Comments == '''KillerKiwi''' - Just about died when I saw this almost exactly what I proposed for edgy... https://wiki.ubuntu.com/aptgetinstallprotocol . Thanks for implementing this :) BTW register the protocol in Gconf and it will be available for all gnome apps including firefox and thunderbird One last thing I think would work better integrated with gnome-app-install rather than gdebi . RafaelProenca - It don't make use of gdebi. But indeed, using g-a-i like in [[http://img363.imageshack.us/img363/3144/pantallazoapturlxb9.png|this screenshot]] would be better than just a simple "Yes & No" dialog. . KillerKiwi- That screen shot is exactly what I meant ;) (Not sure where I got the idea gdebi was being used). Maybe add to the top "Official Ubuntu Software" or "Third Party Unsupported Software"... the exact phrase (Maybe copy the software sources dialogue) may need tweaking but you get the idea, some way to easily tell this is official Ubuntu or not. . [[https://wiki.ubuntu.com/Cyphase|Cyphase]] - I agree with KillerKiwi (I was just coming here to comment on it). If you just add a GConf key under /desktop/gnome/url-handlers, all Gnome supporting browsers will be able to act on the apt:// protocol. '''Gaurish Sharma''' - Does it support multiple packages at once? If not then please include this feature '''AlfonsoDeCala''' - This implementation must take care of many "apt" links clicked simultaneously. We (Guadalinex) have a web interface showing a software catalogue and I'm afraid users try to click some of them very quickly. A repository lock should be checked (and user informed) ASAP. '''Glaydson''' - I created a open source project that read the sources.list and make a structure to use apt protocol in http://www.apturl.net. ''The current set of commands is limited on purpose. Actions like "update", "upgrade", "dist-upgrade", "remove" look not useful or plain dangerous. We may expand the syntax later to support multiple packages separated by ",".'' I don't see any reason to limit this. Allow removing packages, adding repositories, etc. Prevent people from doing dangerous things by clearly explaining to them what they are about to do and what the dangers are, not by intentionally crippling software and making things artificially difficult. This isn't like downloading an .exe file from a Flash pop-up that mimics Windows and letting it do whatever it wants to your hard drive. Anything done through an apt: URL has to go through the gateway of the AptURL program first, which allows us to control exactly what the user sees when they try to do it. |
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad Entry: apt-firefox-archive-handler
Packages affected: A new package for this needs to be created
Summary
It should be possible to install software in a safe and supported way over a website. This allows us to provide more dynamic content and richer metadata (like screenshots, comments) than with traditional client applications and to better support Launchpad's new personal package archives. To achieve this, a new "apt://" protocol will be created that allows giving commands to apt/synaptic.
Release Note
The apt-firefox-archive-plugin feature allows users to install software via simple websites in a safe and supported way.
Rationale
People use to install software just clicking on a URL. Softonic, Tucows and others, list lots of applications that users can easily add to their Windows boxes. The linux way is not that easy.
An Ubuntu distribution has got a defined repository with loads of software, but users need to use a specific software installer (gnome-app-install, synaptic) to add more software.
Use Cases
Alfonso is asking a question on the Guadalinex forums. A support technician from Guadalinex team founds that his problem can be resolved by installing a single package. He posts an answer with a link to apt://unrar, and the user only has to click on it to solve his problem.
The Guadalinex team needs to provide their users with an up-to-date list of "extra software" which doesn't fit on the CD. The developers add a menu entry in the stable version of the distro that opens a webpage hosted on Guadalinex servers that can be easily updated, with links to apt://name_of_package
Pepe, an Ubuntu enthusiast, wants to write a Beryl HOWTO in his weblog. He easily adds links to the referred software with "apt://name-of-package" urls.
- Celso has a launchpad PPA for his software. He wants to make it easy to add his repository and puts an apt protocol handler in for this.
Scope
The apt protocol should support the following actions:
- install package from existing repository
- adding new repository
Design
The default internet browser will call a external application whenever an apt:package_name url is clicked. It adds the complete url as an argument to that external application. The external application will then do the equivalent of apt-get install $package_name (using synaptic or adept_batch as its backend)
The new protocol will follow http://tools.ietf.org/html/rfc3986 (STD66).
In its easiest from, the new url will be formatted:
apt:package_name
We are not linking a .deb file, just giving the name of the package to an external application. By default the syntax will be not hierarchical, but to stay compatible with Guadalinex a hierarchical argument will be supported as well (apt://pkg_name will also work).
In addition to this, a syntax will be supported to install applications that come from repositories that are not in the current sources.list. This synatx will follow the following style:
apt+http://launchpad.net/~mvo/ppa/test/?package=my-new-package?keyfile=ppa-key
The keyfile will be searched in /usr/share/app-install/channels. If no keyfile is given it is assumed that the repository is authenticated with the default key. If the repository can not be authenticated it will not be added and no packages get installed.
If the repository is not already in the sources.list the UI will ask if the repository should be added permanently or just temporarily. The package is then installed. If no parameter is given it is assumed that the distro is set to "/". The line above expands to:
deb http://launchpad.net/~mvo/ppa/test/ /
The parameters "dist=foo" and multiple "section=bar" are supported as well. So apt+http://launchpad.net/~mvo/ppa/test/?package-my-new-pkg?dist=feisty?section=foo?section=bar expands to a sources.list line like this:
deb http://launchpad.net/~mvo/ppa/test feisty foo bar
Additional a parameter minversion=x.y will be supported. This enables us to build webpages about packages that describe new features and provide a quick "install now" link. If (for some reason) the minversion is not available the user will not be disappointed that the package he installed does not actually support the advised features.
Example:
apt:tuxracer apt+http://launchpad.net/~mvo/ppa/test?package=foo?minversion=1.0
Implementation
- Firefox (and in the future other browsers like konqueror and
epiphany) must be tweaked to recognize a new apt:// protocol.
- When an apt: url is clicked a python application is
- triggered. The browser will pass the url to this application.
- The application will display a dialog explaining what is going to happen
- and how much download is required. If the user confirms it will call synaptic or adept_batch (depending on the desktop environment) with a few parameters to download and install the package, including dependencies (/usr/sbin/synaptic --hide-main-window --non-interactive --set-selections-file /tmp/apt-packagename.tmp)
The handler will be installed into /usr/share/firefox/defaults/prefs/apt-archive-handler.js as an additional configuration file. The whole application will done as a new package with some python clue code (gapti/gdebi will be reused as much as possible or even merged if that is feasible).
A similar mechanism is implemented in Guadalinex, the file /usr/lib/firefox/firefox.cfg was modified to achieve the same goal, and a perl script was added to parse the url, and call synaptic. We will provide compatibility with their syntax.
The current set of commands is limited on purpose. Actions like "update", "upgrade", "dist-upgrade", "remove" look not useful or plain dangerous. We may expand the syntax later to support multiple packages separated by ",".
Security
With the above design the security implications are small. All software comes from trusted repositories, it is only possible to add repositories that have a keyfile that is already available in ubuntu already (e.g. in the app-install-data-commercial package).
A possible attack vector would be to trick users to install a application with a known vulnerability or to install applications that open a port.
Future Work
The approach to allow only adding repositories with already available keys limits this protocol for third party vendors. We could consider extending the specification in the future to have a command like "add-repository-unsafe" if that is a desired goal, or have a new apt-protocol: handler.
Releated Work
A similar approach using a command file instead of a protocol: https://wiki.ubuntu.com/ThirdPartyApt and https://wiki.ubuntu.com/GAptI.
The svn for the Guadalinex implementation:
svn co http://forja.guadalinex.org/guadalinexv4/apps/xapi
Comments
KillerKiwi - Just about died when I saw this almost exactly what I proposed for edgy... https://wiki.ubuntu.com/aptgetinstallprotocol . Thanks for implementing this BTW register the protocol in Gconf and it will be available for all gnome apps including firefox and thunderbird One last thing I think would work better integrated with gnome-app-install rather than gdebi
RafaelProenca - It don't make use of gdebi. But indeed, using g-a-i like in this screenshot would be better than just a simple "Yes & No" dialog.
KillerKiwi- That screen shot is exactly what I meant (Not sure where I got the idea gdebi was being used). Maybe add to the top "Official Ubuntu Software" or "Third Party Unsupported Software"... the exact phrase (Maybe copy the software sources dialogue) may need tweaking but you get the idea, some way to easily tell this is official Ubuntu or not.
Cyphase - I agree with KillerKiwi (I was just coming here to comment on it). If you just add a GConf key under /desktop/gnome/url-handlers, all Gnome supporting browsers will be able to act on the apt:// protocol.
Gaurish Sharma - Does it support multiple packages at once? If not then please include this feature
AlfonsoDeCala - This implementation must take care of many "apt" links clicked simultaneously. We (Guadalinex) have a web interface showing a software catalogue and I'm afraid users try to click some of them very quickly. A repository lock should be checked (and user informed) ASAP.
Glaydson - I created a open source project that read the sources.list and make a structure to use apt protocol in http://www.apturl.net.
The current set of commands is limited on purpose. Actions like "update", "upgrade", "dist-upgrade", "remove" look not useful or plain dangerous. We may expand the syntax later to support multiple packages separated by ",".
- I don't see any reason to limit this. Allow removing packages, adding repositories, etc. Prevent people from doing dangerous things by clearly explaining to them what they are about to do and what the dangers are, not by intentionally crippling software and making things artificially difficult. This isn't like downloading an .exe file from a Flash pop-up that mimics Windows and letting it do whatever it wants to your hard drive. Anything done through an apt: URL has to go through the gateway of the AptURL program first, which allows us to control exactly what the user sees when they try to do it.
AptFirefoxFileHandler (last edited 2009-07-22 05:47:36 by 66)