SingleClickInstall
1554
Comment:
|
2980
bof
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
See also: https://blueprints.launchpad.net/ubuntu/+spec/third-party-apt https://wiki.ubuntu.com/ThirdPartyApt |
|
Line 46: | Line 50: |
* What about people using Unicode to spoof domain names? What about integrating with Google and Firefox's spoofing verification program? * What about certification program for third-party repositories? [Merely saying ``Universe'' is insufficient.] |
|
Line 51: | Line 59: |
* Easy problems to solve: * man-in-the-middle (signatures) * stop unintended installations (force confirmation) * Instead displaying a confirmation prompt of "zomg unsigned", evaluate package quality * Use lintian to present a summary of a packages quality * Suggest alternative, if present in official repositories * Perform virus/malware scanning * Stop-gap to get to signed repositories would be signed .deb files * should record where key was downloaded from * have repositories list the location to download a key which contains details about where the key came from (though I don't see the benefit) * have an evangelist to tell the (about 10ish) repositories out there to use the new ThirdPartyApt instructions rather than providing old wget and apt-key add stuff. * most people who run thirdparty repos are currently MOTU or affiliated with them in some way. This gives us a good basis for starting a trustpath Confirmation is important. * could also ship some default keys for a few Thirdpartyrepos |
See also: https://blueprints.launchpad.net/ubuntu/+spec/third-party-apt https://wiki.ubuntu.com/ThirdPartyApt
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad Entry: single-click-install
Packages affected: apturl
Summary
There is a demand for making installing software via the web easy.
Release Note
TBD
Rationale
The instructions for some third party sites include steps like "w3m -dump http://foo.com/install | sh". There should be a easier and more obvious way to get packages installed from 3rd parties *with* the ability to understand every step.
Use Cases
- Alice needs thunderbird 3.0 on her system to get her work done, because it provides the new frobonicator. Ubuntu ships only 2.0. She wants to install it in a secure way and she wants to only the the new thunderbird
Design
- Security implications?
- What are we protecting users from?
- Method, implementation, etc.
- Repository signing
- Obtaining signing key
- QA
- What do other distros do?
UI Changes
- TBD
Test/Demo Plan
TBD
Outstanding Issues
- what about something like klik-images?
- What about people using Unicode to spoof domain names? What about integrating with Google and Firefox's spoofing verification program?
What about certification program for third-party repositories? [Merely saying Universe is insufficient.]
BoF agenda and discussion
Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.
- Easy problems to solve:
- man-in-the-middle (signatures)
- stop unintended installations (force confirmation)
- Instead displaying a confirmation prompt of "zomg unsigned", evaluate package quality
- Use lintian to present a summary of a packages quality
- Suggest alternative, if present in official repositories
- Perform virus/malware scanning
- Stop-gap to get to signed repositories would be signed .deb files
- should record where key was downloaded from
- have repositories list the location to download a key which contains details about where the key came from (though I don't see the benefit)
have an evangelist to tell the (about 10ish) repositories out there to use the new ThirdPartyApt instructions rather than providing old wget and apt-key add stuff.
- most people who run thirdparty repos are currently MOTU or affiliated with them in some way. This gives us a good basis for starting a trustpath
Confirmation is important.
- could also ship some default keys for a few Thirdpartyrepos
SingleClickInstall (last edited 2008-08-06 16:19:47 by localhost)