Bug#462063: [Aptitude-devel] Bug#462063: aptitude: please add a "See homepage" action for packages

2015-10-12 Thread Axel Beckert 
Hi,

Manuel A. Fernandez Montecelo wrote:
> > > So I don't really think that it's a good idea to implement this, because
> > > it's like opening a can of worms; and even if it was it means a
> > > considerable amount of work, and I think that at the moment the scarce
> > > time would be better spent in other more pressing problems.
> >
> > I think both those features (opening home page in a browser as well as
> > reporting a bug on a package), both should be accessible if aptitude
> > does not run as root, if at all.
> >
> > I'm not sure how many aptitude users use the Aptitude TUI as non-root
> > at all. While it is probably a good idea security-wise, I use aptitude
> > as user basically only with querying options (search, show, version,
> > etc.) on the commandline.
> 
> From previous communications I thought that you were in favour of
> removing the reportbug and not implement this one;

Likely possible.

> but your wording makes me think that you are in favour of keeping
> them for non-root usage -- or is it "I prefer to remove report bug
> and not implement the browser launching, but if not going to be
> removed at least do it when aptitude is not invoked as root"?

It's a bit of both. The idea of disabling some features if running as
root just came to me when reading this thread and I think that's
better than completely removing them as some users seem to use them.
(IIRC there was some opposition of removing them.)

My initial thought was that some of the features (like the "open
homepage in browser" feature) makes more sense if an aptitude GUI is
running. We currently support them anymore, but I assume that they
were used more often as non-root than the TUI, so it seems to make
more sense there. That's how I came to the idea of making the
difference with running as root or not.

Running dpkg-reconfigure of course only makes sense if run as root
while browser and reportbug should not be run as root. So I consider
those different cases. The only similarity is that it would need
another keybinding.

Another thing which always come to my mind when it comes to the
aptitude TUI and reportbug is #412830 (Ctrl-Z + fg confuses aptitude:
down arrow runs reportbug) which is annoying and would be gone for no
additional effort if the reportbug feature would be removed. Then
again, running reportbug is not the issue, but misinterpreting escape
sequences after being foregrounded again. reportbug is just a symptom
there.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#462063: [Aptitude-devel] Bug#462063: aptitude: please add a "See homepage" action for packages

2015-10-12 Thread Manuel A. Fernandez Montecelo 

2015-10-11 13:35 Axel Beckert:

Hi,

Manuel A. Fernandez Montecelo wrote:

> with the new field for a packages homepage, it would be nice to have a menu
> entry and hotkey to open a "sensible-browser" with the Homepage URL of the
> current package (with no action, if there is no Homepage specified).

I am marking this bug as +wontfix, mainly because it's been for 7+ years
without being implemented, so I don't see it happening any time soon.

Also, because implementing this kind of features with a package that
often runs as root and sometimes remotely is tricky because:

[...]

 - running the browser as root is even more problematic


This is IMHO the main point, although that may be less of an issue if
aptitude runs as user.

This is very similar to aptitude's "B" keybinding which runs reportbug
on the selected package. That feature exists, but it has been
requested to be removed (!) for multiple reasons.

If used as root, reportbug clearly warns that running it as root may
be a security issue.


This is #738350 (and #463510 before that, but it was closed without
removing it), copying this bug report as well in the reply (perhaps we
should move the discussion to that bug report only).

I still didn't go ahead removing reportbug because --apart from not
being high priority-- there is the parallel issue of the call to
dpkg-reconfigure, which I don't know if it's better to keep, add to the
menu and fix some issues (#680334) or remove it altogether.  Before
seeing it mentioned in these bug reports a while ago, I was actually
unaware of them, and it's undocumented in man page and quick in-line
help, not sure about the full user's manual (so if keeping it, it would
also need documenting where missing).

For reportbug there's the possibility of implementing the drop of
privileges, but for dpkg-reconfigure we need root anyway, it's not a
security issue but there is some work to do to bring it to first-level
functionality.  I still think that it's probably better to remove both
reportbug and dpkg-reconfigure -- perhaps I am wrong, but I don't think
that they are very used/important features.

And specially the browser it would not just be solved with dropping
privileges, because there is also the issue of X/graphical
authentication, greatly increased bandwidth in remote connections, etc.



So I don't really think that it's a good idea to implement this, because
it's like opening a can of worms; and even if it was it means a
considerable amount of work, and I think that at the moment the scarce
time would be better spent in other more pressing problems.


I think both those features (opening home page in a browser as well as
reporting a bug on a package), both should be accessible if aptitude
does not run as root, if at all.

I'm not sure how many aptitude users use the Aptitude TUI as non-root
at all. While it is probably a good idea security-wise, I use aptitude
as user basically only with querying options (search, show, version,
etc.) on the commandline.



From previous communications I thought that you were in favour of

removing the reportbug and not implement this one; but your wording
makes me think that you are in favour of keeping them for non-root usage
-- or is it "I prefer to remove report bug and not implement the browser
launching, but if not going to be removed at least do it when aptitude
is not invoked as root"?


Cheers.
--
Manuel A. Fernandez Montecelo

Bug#462063: [Aptitude-devel] Bug#462063: aptitude: please add a "See homepage" action for packages

2015-10-11 Thread Axel Beckert 
Hi,

Manuel A. Fernandez Montecelo wrote:
> > with the new field for a packages homepage, it would be nice to have a menu
> > entry and hotkey to open a "sensible-browser" with the Homepage URL of the
> > current package (with no action, if there is no Homepage specified).
> 
> I am marking this bug as +wontfix, mainly because it's been for 7+ years
> without being implemented, so I don't see it happening any time soon.
> 
> Also, because implementing this kind of features with a package that
> often runs as root and sometimes remotely is tricky because:
[...]
>  - running the browser as root is even more problematic

This is IMHO the main point, although that may be less of an issue if
aptitude runs as user.

This is very similar to aptitude's "B" keybinding which runs reportbug
on the selected package. That feature exists, but it has been
requested to be removed (!) for multiple reasons.

If used as root, reportbug clearly warns that running it as root may
be a security issue.

> So I don't really think that it's a good idea to implement this, because
> it's like opening a can of worms; and even if it was it means a
> considerable amount of work, and I think that at the moment the scarce
> time would be better spent in other more pressing problems.

I think both those features (opening home page in a browser as well as
reporting a bug on a package), both should be accessible if aptitude
does not run as root, if at all.

I'm not sure how many aptitude users use the Aptitude TUI as non-root
at all. While it is probably a good idea security-wise, I use aptitude
as user basically only with querying options (search, show, version,
etc.) on the commandline.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#462063: aptitude: please add a "See homepage" action for packages

2015-10-10 Thread Manuel A. Fernandez Montecelo 

Control: tags -1 + wontfix


Hello Guenter,

2008-01-22 09:25 G. Milde:

Package: aptitude
Version: 0.4.10-1+b1
Severity: wishlist


Dear Daniel,

with the new field for a packages homepage, it would be nice to have a menu
entry and hotkey to open a "sensible-browser" with the Homepage URL of the
current package (with no action, if there is no Homepage specified).


I am marking this bug as +wontfix, mainly because it's been for 7+ years
without being implemented, so I don't see it happening any time soon.


Also, because implementing this kind of features with a package that
often runs as root and sometimes remotely is tricky because:

- can become a security liability (and aptitude has a wide enough attack
 surcface already), for example:

 - one would have to make sure that the field is not malicious and
 cannot be abused before passing it to another tool, etc

 - running the browser as root is even more problematic

- root doesn't necessarily have permission to run graphical applications
 if it was launched as another user, specially if run remotely

- even if it works when running it remotely, simply triggering the
 action (which can maybe be done by mistake) can have undesired effects
 like launch the browser in a way in which uses the remote X protocol
 and take lots of time on slow connections, and maybe it is not easy to
 cancel (specially if the intense flow data blocks the connection)


So I don't really think that it's a good idea to implement this, because
it's like opening a can of worms; and even if it was it means a
considerable amount of work, and I think that at the moment the scarce
time would be better spent in other more pressing problems.


Cheers.
--
Manuel A. Fernandez Montecelo

Bug#462063: aptitude: please add a See homepage action for packages

2008-01-22 Thread G. Milde 
Package: aptitude
Version: 0.4.10-1+b1
Severity: wishlist


Dear Daniel,

with the new field for a packages homepage, it would be nice to have a menu
entry and hotkey to open a sensible-browser with the Homepage URL of the
current package (with no action, if there is no Homepage specified).

Thanks

Guenter

-- Package-specific info:
Terminal: rxvt
$DISPLAY is set.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.21-2-686 (SMP w/1 CPU core)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages aptitude depends on:
ii  apt [libapt-pkg-libc6.6-6 0.7.9  Advanced front-end for dpkg
ii  libc6 2.7-1  GNU C Library: Shared libraries
ii  libcwidget1   0.5.6.1-2+b1   high-level terminal interface libr
ii  libgcc1   1:4.2.1-5  GCC support library
ii  libncursesw5  5.6+20071013-1 Shared libraries for terminal hand
ii  libsigc++-2.0-0c2a2.0.17-2   type-safe Signal Framework for C++
ii  libstdc++64.2.1-5The GNU Standard C++ Library v3

Versions of packages aptitude recommends:
ii  aptitude-doc-en [aptitude-doc 0.4.10-1   English manual for aptitude, a ter
pn  libparse-debianchangelog-perl none (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]