An 'Add this PPA' link should appear on PPA pages using AptURL

Bug #376603 reported by Jamu Kakar on 2009-05-14
36
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Undecided
Unassigned

Bug Description

The UbuntuOne guys have a very cool 'Add PPA' button in their
startup instructions. It's a link to an apt:// URL that installs a
package, adding a file with the appropriate deb lines for their PPA
to /etc/apt/sources.list.d/ubuntuone-sources.list. It would be
really awesome if Launchpad created packages like this automatically
and showed an 'Add PPA' button on PPA pages.

Endolith (endolith) wrote :

Do you mean that PPAs would have a link for "Add this PPA" that is an AptURL link? I think this is a great idea.

AptURL's PPA functionality is disabled for "security concerns", though, and the + format doesn't work.

Bug #132070

Jamu Kakar (jkakar) wrote :

Endolith:

Yes, that's what I was thinking. It'd be an apt:// URL that would
install a package that put a file in /etc/apt/sources.list.d
containing the deb-lines for the PPA. This is how UbuntuOne
automates this procedure. Regarding security concerns, I'm not
convinced that an apt:// URL on Launchpad is any less safe than some
deb-lines on a web page the user is instructed to paste into a file
visible to apt. Either way, the user has to decide they trust
Launchpad. The only thing that differs here is the mechanism by
which they follow through on deciding they trust Launchpad.

Endolith (endolith) on 2009-06-01
summary: - An 'Add this PPA' package should be installable directly from PPA pages,
- adding an item to /etc/apt/source.list.d
+ An 'Add this PPA' link should appear on PPA pages using AptURL
Endolith (endolith) wrote :

The UbuntuOne link that adds the PPA is a package, not an AptURL link:

https://media.ubuntuone.com/media/files/ubuntuone-jaunty-ppa.deb

Then there's an AptURL link below that to install the client package.

apt://ubuntuone-client?refresh=yes

But AptURL has the functionality to do both steps in one, if I understand correctly; it's just disabled by default. I don't know why. Installing random debs seems more dangerous and less reliable than installing PPAs.

William Grant (wgrant) wrote :

Jamu, they do not have to trust just Launchpad. They have to establish whether they can trust the team or person that owns the PPA.

Jamu Kakar (jkakar) wrote :

William:

Good point. I still think my basic point stands up: making it
easier to add a PPA to your system doesn't change the "who do you
trust?" issue.

Matthew Paul Thomas (mpt) wrote :

Installing a non-repository package that exists only to add another repository is a clever hack, but still a hack. Ubuntu policy is currently that it should be non-trivial to add a PPA as a repository, on the grounds that damage from software in unreliable PPAs would reflect poorly on Ubuntu. It would be counterproductive for Launchpad developers to try and subvert Ubuntu developers this way (especially while Ubuntu is the only OS for which Launchpad builds PPA packages).

Ubuntu has a whitelist for trusted repositories, and a process for being added to that whitelist <https://wiki.ubuntu.com/ThirdPartyRepositoryApplicationProcess>. The Ubuntu One developers should apply for inclusion in the whitelist, instead of using a .deb hack. The same is true for any other PPA owner who wants easy installation but for whom the official Ubuntu repositories are inappropriate.

Matthew Paul Thomas (mpt) wrote :

I have just discussed this with the Ubuntu One developers, and they are working on an even better solution: getting their software into Ubuntu's Main repository. But the general point holds -- if you want your software to be installable in Ubuntu without warnings, you should (a) get it into an official repository, (b) get it into an already-whitelisted repository (e.g. the Canonical partner repository), or (c) apply to get your own repository whitelisted. I don't think Launchpad should do anything special here, apart from making the PPA-adding instructions easier to follow (bug 338256).

Endolith (endolith) wrote :

This isn't for developers; it's for users. We want to use software that *isn't* in the repositories. There is no reason why adding a PPA should be difficult. Security should be handled with warnings and social engineering, not by introducing unnecessary tedium.

Julian Edwards (julian-edwards) wrote :

Basic on the discussions at UDS, and here, I'm marking this Won't Fix. As mpt says, I don't want to subvert the Ubuntu guys.

There *will* be support in Ubuntu itself at some point for making it easier to install PPAs (search for "App Center") but what the Ubuntu guys don't want is to trivialise adding repositories from browser links, which could come from anywhere.

affects: launchpad → soyuz
Changed in soyuz:
status: New → Won't Fix
Endolith (endolith) wrote :

Script to automatically add keys for PPAs: https://code.launchpad.net/~oldman/+junk/launchpad-update

Savvas Radevic (medigeek) wrote :

> Script to automatically add keys for PPAs: https://code.launchpad.net/~oldman/+junk/launchpad-update

There's also a perl script: http://ubuntuforums.org/showthread.php?t=1056099

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers