SingleClickInstall

Differences between revisions 9 and 10
Revision 9 as of 2007-10-17 15:00:04
Size: 1554
Editor: p54A646E9
Comment:
Revision 10 as of 2007-11-02 21:14:23
Size: 2980
Editor: 12
Comment: bof
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
See also:
https://blueprints.launchpad.net/ubuntu/+spec/third-party-apt
https://wiki.ubuntu.com/ThirdPartyApt
Line 46: Line 50:
   * What about people using Unicode to spoof domain names? What about integrating with Google and Firefox's spoofing verification program?
 
  * What about certification program for third-party repositories? [Merely saying ``Universe'' is insufficient.]
Line 51: Line 59:
 * Easy problems to solve:
  * man-in-the-middle (signatures)
  * stop unintended installations (force confirmation)

 * Instead displaying a confirmation prompt of "zomg unsigned", evaluate package quality
  * Use lintian to present a summary of a packages quality
  * Suggest alternative, if present in official repositories
  * Perform virus/malware scanning

 * Stop-gap to get to signed repositories would be signed .deb files
 * should record where key was downloaded from
 * have repositories list the location to download a key which contains details about where the key came from (though I don't see the benefit)

 * have an evangelist to tell the (about 10ish) repositories out there to use the new ThirdPartyApt instructions rather than providing old wget and apt-key add stuff.
  * most people who run thirdparty repos are currently MOTU or affiliated with them in some way. This gives us a good basis for starting a trustpath
Confirmation is important.
    * could also ship some default keys for a few Thirdpartyrepos

See also: https://blueprints.launchpad.net/ubuntu/+spec/third-party-apt https://wiki.ubuntu.com/ThirdPartyApt

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

Summary

There is a demand for making installing software via the web easy.

Release Note

TBD

Rationale

The instructions for some third party sites include steps like "w3m -dump http://foo.com/install | sh". There should be a easier and more obvious way to get packages installed from 3rd parties *with* the ability to understand every step.

Use Cases

  • Alice needs thunderbird 3.0 on her system to get her work done, because it provides the new frobonicator. Ubuntu ships only 2.0. She wants to install it in a secure way and she wants to only the the new thunderbird

Design

  • Security implications?
  • What are we protecting users from?
  • Method, implementation, etc.
  • Repository signing
  • Obtaining signing key
  • QA
  • What do other distros do?

UI Changes

  • TBD

Test/Demo Plan

TBD

Outstanding Issues

  • what about something like klik-images?
  • What about people using Unicode to spoof domain names? What about integrating with Google and Firefox's spoofing verification program?

    • What about certification program for third-party repositories? [Merely saying Universe is insufficient.]

BoF agenda and discussion

Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.

  • Easy problems to solve:
    • man-in-the-middle (signatures)
    • stop unintended installations (force confirmation)
  • Instead displaying a confirmation prompt of "zomg unsigned", evaluate package quality
    • Use lintian to present a summary of a packages quality
    • Suggest alternative, if present in official repositories
    • Perform virus/malware scanning
  • Stop-gap to get to signed repositories would be signed .deb files
  • should record where key was downloaded from
  • have repositories list the location to download a key which contains details about where the key came from (though I don't see the benefit)

  • have an evangelist to tell the (about 10ish) repositories out there to use the new ThirdPartyApt instructions rather than providing old wget and apt-key add stuff.

    • most people who run thirdparty repos are currently MOTU or affiliated with them in some way. This gives us a good basis for starting a trustpath

Confirmation is important.

  • could also ship some default keys for a few Thirdpartyrepos

CategorySpec

SingleClickInstall (last edited 2008-08-06 16:19:47 by localhost)