Bug#462063: [Aptitude-devel] Bug#462063: aptitude: please add a "See homepage" action for packages
Hi, Manuel A. Fernandez Montecelo wrote: > > > So I don't really think that it's a good idea to implement this, because > > > it's like opening a can of worms; and even if it was it means a > > > considerable amount of work, and I think that at the moment the scarce > > > time would be better spent in other more pressing problems. > > > > I think both those features (opening home page in a browser as well as > > reporting a bug on a package), both should be accessible if aptitude > > does not run as root, if at all. > > > > I'm not sure how many aptitude users use the Aptitude TUI as non-root > > at all. While it is probably a good idea security-wise, I use aptitude > > as user basically only with querying options (search, show, version, > > etc.) on the commandline. > > From previous communications I thought that you were in favour of > removing the reportbug and not implement this one; Likely possible. > but your wording makes me think that you are in favour of keeping > them for non-root usage -- or is it "I prefer to remove report bug > and not implement the browser launching, but if not going to be > removed at least do it when aptitude is not invoked as root"? It's a bit of both. The idea of disabling some features if running as root just came to me when reading this thread and I think that's better than completely removing them as some users seem to use them. (IIRC there was some opposition of removing them.) My initial thought was that some of the features (like the "open homepage in browser" feature) makes more sense if an aptitude GUI is running. We currently support them anymore, but I assume that they were used more often as non-root than the TUI, so it seems to make more sense there. That's how I came to the idea of making the difference with running as root or not. Running dpkg-reconfigure of course only makes sense if run as root while browser and reportbug should not be run as root. So I consider those different cases. The only similarity is that it would need another keybinding. Another thing which always come to my mind when it comes to the aptitude TUI and reportbug is #412830 (Ctrl-Z + fg confuses aptitude: down arrow runs reportbug) which is annoying and would be gone for no additional effort if the reportbug feature would be removed. Then again, running reportbug is not the issue, but misinterpreting escape sequences after being foregrounded again. reportbug is just a symptom there. Regards, Axel -- ,''`. | Axel Beckert, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#462063: [Aptitude-devel] Bug#462063: aptitude: please add a "See homepage" action for packages
2015-10-11 13:35 Axel Beckert: Hi, Manuel A. Fernandez Montecelo wrote: > with the new field for a packages homepage, it would be nice to have a menu > entry and hotkey to open a "sensible-browser" with the Homepage URL of the > current package (with no action, if there is no Homepage specified). I am marking this bug as +wontfix, mainly because it's been for 7+ years without being implemented, so I don't see it happening any time soon. Also, because implementing this kind of features with a package that often runs as root and sometimes remotely is tricky because: [...] - running the browser as root is even more problematic This is IMHO the main point, although that may be less of an issue if aptitude runs as user. This is very similar to aptitude's "B" keybinding which runs reportbug on the selected package. That feature exists, but it has been requested to be removed (!) for multiple reasons. If used as root, reportbug clearly warns that running it as root may be a security issue. This is #738350 (and #463510 before that, but it was closed without removing it), copying this bug report as well in the reply (perhaps we should move the discussion to that bug report only). I still didn't go ahead removing reportbug because --apart from not being high priority-- there is the parallel issue of the call to dpkg-reconfigure, which I don't know if it's better to keep, add to the menu and fix some issues (#680334) or remove it altogether. Before seeing it mentioned in these bug reports a while ago, I was actually unaware of them, and it's undocumented in man page and quick in-line help, not sure about the full user's manual (so if keeping it, it would also need documenting where missing). For reportbug there's the possibility of implementing the drop of privileges, but for dpkg-reconfigure we need root anyway, it's not a security issue but there is some work to do to bring it to first-level functionality. I still think that it's probably better to remove both reportbug and dpkg-reconfigure -- perhaps I am wrong, but I don't think that they are very used/important features. And specially the browser it would not just be solved with dropping privileges, because there is also the issue of X/graphical authentication, greatly increased bandwidth in remote connections, etc. So I don't really think that it's a good idea to implement this, because it's like opening a can of worms; and even if it was it means a considerable amount of work, and I think that at the moment the scarce time would be better spent in other more pressing problems. I think both those features (opening home page in a browser as well as reporting a bug on a package), both should be accessible if aptitude does not run as root, if at all. I'm not sure how many aptitude users use the Aptitude TUI as non-root at all. While it is probably a good idea security-wise, I use aptitude as user basically only with querying options (search, show, version, etc.) on the commandline. From previous communications I thought that you were in favour of removing the reportbug and not implement this one; but your wording makes me think that you are in favour of keeping them for non-root usage -- or is it "I prefer to remove report bug and not implement the browser launching, but if not going to be removed at least do it when aptitude is not invoked as root"? Cheers. -- Manuel A. Fernandez Montecelo
Bug#462063: [Aptitude-devel] Bug#462063: aptitude: please add a "See homepage" action for packages
Hi, Manuel A. Fernandez Montecelo wrote: > > with the new field for a packages homepage, it would be nice to have a menu > > entry and hotkey to open a "sensible-browser" with the Homepage URL of the > > current package (with no action, if there is no Homepage specified). > > I am marking this bug as +wontfix, mainly because it's been for 7+ years > without being implemented, so I don't see it happening any time soon. > > Also, because implementing this kind of features with a package that > often runs as root and sometimes remotely is tricky because: [...] > - running the browser as root is even more problematic This is IMHO the main point, although that may be less of an issue if aptitude runs as user. This is very similar to aptitude's "B" keybinding which runs reportbug on the selected package. That feature exists, but it has been requested to be removed (!) for multiple reasons. If used as root, reportbug clearly warns that running it as root may be a security issue. > So I don't really think that it's a good idea to implement this, because > it's like opening a can of worms; and even if it was it means a > considerable amount of work, and I think that at the moment the scarce > time would be better spent in other more pressing problems. I think both those features (opening home page in a browser as well as reporting a bug on a package), both should be accessible if aptitude does not run as root, if at all. I'm not sure how many aptitude users use the Aptitude TUI as non-root at all. While it is probably a good idea security-wise, I use aptitude as user basically only with querying options (search, show, version, etc.) on the commandline. Regards, Axel -- ,''`. | Axel Beckert, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#462063: aptitude: please add a "See homepage" action for packages
Control: tags -1 + wontfix Hello Guenter, 2008-01-22 09:25 G. Milde: Package: aptitude Version: 0.4.10-1+b1 Severity: wishlist Dear Daniel, with the new field for a packages homepage, it would be nice to have a menu entry and hotkey to open a "sensible-browser" with the Homepage URL of the current package (with no action, if there is no Homepage specified). I am marking this bug as +wontfix, mainly because it's been for 7+ years without being implemented, so I don't see it happening any time soon. Also, because implementing this kind of features with a package that often runs as root and sometimes remotely is tricky because: - can become a security liability (and aptitude has a wide enough attack surcface already), for example: - one would have to make sure that the field is not malicious and cannot be abused before passing it to another tool, etc - running the browser as root is even more problematic - root doesn't necessarily have permission to run graphical applications if it was launched as another user, specially if run remotely - even if it works when running it remotely, simply triggering the action (which can maybe be done by mistake) can have undesired effects like launch the browser in a way in which uses the remote X protocol and take lots of time on slow connections, and maybe it is not easy to cancel (specially if the intense flow data blocks the connection) So I don't really think that it's a good idea to implement this, because it's like opening a can of worms; and even if it was it means a considerable amount of work, and I think that at the moment the scarce time would be better spent in other more pressing problems. Cheers. -- Manuel A. Fernandez Montecelo
Bug#462063: aptitude: please add a See homepage action for packages
Package: aptitude Version: 0.4.10-1+b1 Severity: wishlist Dear Daniel, with the new field for a packages homepage, it would be nice to have a menu entry and hotkey to open a sensible-browser with the Homepage URL of the current package (with no action, if there is no Homepage specified). Thanks Guenter -- Package-specific info: Terminal: rxvt $DISPLAY is set. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.21-2-686 (SMP w/1 CPU core) Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages aptitude depends on: ii apt [libapt-pkg-libc6.6-6 0.7.9 Advanced front-end for dpkg ii libc6 2.7-1 GNU C Library: Shared libraries ii libcwidget1 0.5.6.1-2+b1 high-level terminal interface libr ii libgcc1 1:4.2.1-5 GCC support library ii libncursesw5 5.6+20071013-1 Shared libraries for terminal hand ii libsigc++-2.0-0c2a2.0.17-2 type-safe Signal Framework for C++ ii libstdc++64.2.1-5The GNU Standard C++ Library v3 Versions of packages aptitude recommends: ii aptitude-doc-en [aptitude-doc 0.4.10-1 English manual for aptitude, a ter pn libparse-debianchangelog-perl none (no description available) -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]