Ubuntu Wiki

• Created: Date(2005-10-06T19:40:31Z) by JaneWeideman

• Priority: NeedsPriority

• People: NeedsLead, NeedsSecond

• Contributors: JaneWeideman

• Interested:

• Status: UbzSpecification, BrainDump (then DraftSpecification then EditedSpecification then ApprovedSpecification), DistroSpecification

• Branch: UbuntuTrack

• Malone bug:
• Packages affected:
• Depends:
• Dependents:

  FullSearch()

• BoF sessions: none yet

Summary

Autopackage Integration - Autopackage integration in Ubuntu to make it easy for commercial software to have installers (also have a look at [WWW] klik)

Rationale

Use cases

Scope

Design

Implementation

Code

Data preservation and migration

Outstanding issues

HiddeBrugmans - Do we really want any user to be able to install random packages from random internet sites? People will quite easily mess up their systems this way, and both autopackage and klik have drawbacks. It's not feasible to have *anything* on earth in universe, but we should take care not to turn ubuntu into a system that can easily be 'polluted'

Comment added by forbesguthrie

Unfortunately a lot of users will push for this integration. I think the best of both worlds can be achieved here. Have it integrated into synaptic so it tries to install it from the repositories first.

User Joe Bloggs want to install the latest PackageX. He sees a link on web page and downloads the PackageX AutoPackage. When he tries to run this on his gleeming new Dapper Ubuntu box this is what might happen:

• Synaptic kicks in and searches for the package (and same version) in Main, if found it installs it from there and lets the user know that it was installed from the repositories.
• If it can't find it in Main, it searches other repositories for it (offering to add them if required).
• If it can't find the same (or newer) version in a repository, then it offers an older version if available.

• If the user declines to use an older version or a version cannot be found, then it will install using AutoPackage after displaying a dialog box explaining the dangers of installing packages from the internet (spyware, trojans, etc) and that if packaged badly could break other packages,etc.

• In that case Synaptic would record the package name and version and regularly check the repositories for a match. If in the future it found a version on the repositories, then it would offer to replace the AutoPackage. The synaptic/repository server could also see which packages users were frequently installing through AutoPackage and better prioritise packaging for the repositories.

This way the users are happy and can install stuff from AutoPackage if they really want, but Ubuntu always tries to give them the best solution if its available. Just my $0.02

Comment added by TristanWibberley

I really don't think package installation that requires running things as root should ever be made easy unless the package is from Ubuntu. If users want to shoot themselves in the foot, let them go and find the gun store and buy the ammo. Don't put the gun in their hands and aim it for them. Autopackage requires running the third party's code as root since an autopackage package is a shell script.

If you are going to make it easy to install third party untrusted packages, let them be installed through dpkg without running any pre/post install/removal scripts. Perhaps, though, alien can be used to run the autopackage script in a safe environment and create a "dumb" deb. That might require wrappers for registration programs like gst-register that create safe scripts. They can then be forced into /opt preventing the typical user's PATH from running installed third party binaries by accident.

BoF agenda and discussion