Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad Entry: single-click-install
Packages affected: apturl
There is a demand for making installing software via the web easy.
The instructions for some third party sites include steps like "w3m -dump http://foo.com/install | sh". There should be a easier and more obvious way to get packages installed from 3rd parties *with* the ability to understand every step.
- Alice needs thunderbird 3.0 on her system to get her work done, because it provides the new frobonicator. Ubuntu ships only 2.0. She wants to install it in a secure way and she wants to only the the new thunderbird
- Security implications?
- What are we protecting users from?
- Method, implementation, etc.
- Repository signing
- Obtaining signing key
- What do other distros do?
- what about something like klik-images?
- I would like this, klik2 has much potential, it's perfect for users applications. Mi vision is like this: apps-images for users applications and another tool to install 'system wide applications'. Anyway, the klik project needs help.
- What about people using Unicode to spoof domain names? What about integrating with Google and Firefox's spoofing verification program?
What about certification program for third-party repositories? [Merely saying Universe is insufficient.]
* What about Zero Install (http://0install.net)? Already supports signatures and is in universe. Allows installing packages without giving them root access.
BoF agenda and discussion
Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.
- Easy problems to solve:
- man-in-the-middle (signatures)
- stop unintended installations (force confirmation)
- Instead displaying a confirmation prompt of "zomg unsigned", evaluate package quality
- Use lintian to present a summary of a packages quality
- Suggest alternative, if present in official repositories
- Perform virus/malware scanning
- Stop-gap to get to signed repositories would be signed .deb files
- should record where key was downloaded from
- have repositories list the location to download a key which contains details about where the key came from (though I don't see the benefit)
have an evangelist to tell the (about 10ish) repositories out there to use the new ThirdPartyApt instructions rather than providing old wget and apt-key add stuff.
- most people who run thirdparty repos are currently MOTU or affiliated with them in some way. This gives us a good basis for starting a trustpath
Confirmation is important.
- could also ship some default keys for a few Thirdpartyrepos
- I think that a single-click install feature in Ubuntu, to allow easy application donwnload from arbitrary web sites, is a direct invitation for trojans and malwares for its user base, and therefore should *not* be adopted. You have two kind of users:
- Normal users: the typical mom, dad, children, library visitors, typical business employees. They want stability, reliability (i.e. no virus), and have no notion of trojans and malwares, and they *WILL* install any dodgy application with a shiny icon because it is so cute, and because Ubuntu makes it so easy to only click on it once and install. We are basically repeating the errors of Windows, which is staggering under a heavy dose of anti-virus software to check every downloaded program, and even fails to do that in many cases. One of the most important assets of Ubuntu is that all its rich application set ecology is trustworthy, and this set is already featured enough for all normal users.
- Power users: the typical geek user, more knowledgeable on the system. This user does *not* need a one-click install, s/he knows how to update apt.conf if needed and to take the relevant care with dodgy sources, so the single click install feature is useless, and can even make this group more susceptible to impulsive installation from not-yet-quite-checked sources. This would be Alice wanting to use Thunderbird 3.0 (instead of the Thunderbird 2.0 already shipped in Ubuntu) in the user case of the proposed blueprint. She does not need a single-click install system. If she knows she needs TB 3.0, then she is already enough computer-literate to know how to modify apt.conf, and the security dangers of doing so. If she wants to install TB 3.0 without modifying apt.conf, then she should gather with a community of TB 3.0-lovers and suggest Ubuntu to add TB 3.0 to its official repository (see suggestions below).
- DO NOT use any Windows Vista-like 'security' confirmation dialog, asking if the user wants to install a possibly dangerous application bla bla bla, Vista has already shown that users despise this kind of false security procedure: normal users will always click 'accept', or disable this as soon as possible. Microsoft is irresponsible for dumping security responsibility over its users' shoulders, instead of solving their security problems. Please do not repeat this error.
- Signatures and certificates are NOT enough security for normal users. Normal users do not understand them, and will accept any fake self-signed certificate, just because it says 'click accept' on the subject id field.
- Instead of opening up Ubuntu to dodgy third-party developers, Ubuntu should motivate and facilitate the virtuous ones, under user demand, to publicly apply for a slot in Ubuntu's partners (or whatever) repository. There's already enough applications in Ubuntu's repository for 99.9% of users.
- If there's a popular clamor for a few specific new applications/versions from the user base, these users should gather in a community and submit a request (similar to a popular plebiscite/referendum) to add the new applications in Ubuntu partner's (or whatever the name) repository. Ubuntu should make this submission easy, from some web-page with user comments (the forum seems fine and easily adaptable), and *seriously* consider the submission and add the new application to the repository if the community is large enough (say, larger than 1000 people).
- A large-enough community would justify the expense of facilitating the installation of that application to normal users via addition to the Ubuntu's official partner repository (remember, power users do not need this facility, they know already how to do this). The new application should be approved to be distributed from the repository after a thorough public community review of the application (even anti-malware companies might be part of this community). This review would attest the trustworthiness of the application+version from the comments and experiences of a large number of other users (and maybe anti-malware companies). That's how highly-demanded popular third-party applications should be added to Ubuntu. Don't repeat Microsoft's bad security delegation (allow/deny) and carelessness to normal users (who are innocent targets of mischievous developers); harness the power of the community instead.
- FORS: There's only a trustworthy centralized repository of applications for normal users (the Ubuntu's repository). It discourages normal users to try dodgy applications on the Internet (even though they have this freedom, as long as they are willing to learn how to modify apt.conf. Power users already know this). At the worst, if an applications is found later to be tainted in the repository, it is only a matter of revoking the application, removing it from Ubuntu's repository, and maybe even releasing a 'security update' which will uninstall the offending application from the users' systems. Also, there's much less chance of an approved application to break Ubuntu's DEB installation system.
Are we talking about downloading the latest thunderbird-i686-3.0.tar.gz file and compiling the software for the user, but with a GDebi-like interface?