An 'Add this PPA' link should appear on PPA pages using AptURL

Do you mean that PPAs would have a link for "Add this PPA" that is an AptURL link? I think this is a great idea.

AptURL's PPA functionality is disabled for "security concerns", though, and the + format doesn't work.

Bug #132070

Endolith:

Yes, that's what I was thinking. It'd be an apt:// URL that would
install a package that put a file in /etc/apt/sources.list.d
containing the deb-lines for the PPA. This is how UbuntuOne
automates this procedure. Regarding security concerns, I'm not
convinced that an apt:// URL on Launchpad is any less safe than some
deb-lines on a web page the user is instructed to paste into a file
visible to apt. Either way, the user has to decide they trust
Launchpad. The only thing that differs here is the mechanism by
which they follow through on deciding they trust Launchpad.

The UbuntuOne link that adds the PPA is a package, not an AptURL link:

https://media.ubuntuone.com/media/files/ubuntuone-jaunty-ppa.deb

Then there's an AptURL link below that to install the client package.

apt://ubuntuone-client?refresh=yes

But AptURL has the functionality to do both steps in one, if I understand correctly; it's just disabled by default. I don't know why. Installing random debs seems more dangerous and less reliable than installing PPAs.

Jamu, they do not have to trust just Launchpad. They have to establish whether they can trust the team or person that owns the PPA.

William:

Good point. I still think my basic point stands up: making it
easier to add a PPA to your system doesn't change the "who do you
trust?" issue.

Installing a non-repository package that exists only to add another repository is a clever hack, but still a hack. Ubuntu policy is currently that it should be non-trivial to add a PPA as a repository, on the grounds that damage from software in unreliable PPAs would reflect poorly on Ubuntu. It would be counterproductive for Launchpad developers to try and subvert Ubuntu developers this way (especially while Ubuntu is the only OS for which Launchpad builds PPA packages).

Ubuntu has a whitelist for trusted repositories, and a process for being added to that whitelist <https://wiki.ubuntu.com/ThirdPartyRepositoryApplicationProcess>. The Ubuntu One developers should apply for inclusion in the whitelist, instead of using a .deb hack. The same is true for any other PPA owner who wants easy installation but for whom the official Ubuntu repositories are inappropriate.

I have just discussed this with the Ubuntu One developers, and they are working on an even better solution: getting their software into Ubuntu's Main repository. But the general point holds -- if you want your software to be installable in Ubuntu without warnings, you should (a) get it into an official repository, (b) get it into an already-whitelisted repository (e.g. the Canonical partner repository), or (c) apply to get your own repository whitelisted. I don't think Launchpad should do anything special here, apart from making the PPA-adding instructions easier to follow (bug 338256).

This isn't for developers; it's for users. We want to use software that *isn't* in the repositories. There is no reason why adding a PPA should be difficult. Security should be handled with warnings and social engineering, not by introducing unnecessary tedium.

Basic on the discussions at UDS, and here, I'm marking this Won't Fix. As mpt says, I don't want to subvert the Ubuntu guys.

There *will* be support in Ubuntu itself at some point for making it easier to install PPAs (search for "App Center") but what the Ubuntu guys don't want is to trivialise adding repositories from browser links, which could come from anywhere.

Script to automatically add keys for PPAs: https://code.launchpad.net/~oldman/+junk/launchpad-update

http://brainstorm.ubuntu.com/idea/12520/
http://brainstorm.ubuntu.com/idea/12753/
http://brainstorm.ubuntu.com/idea/17692/
http://brainstorm.ubuntu.com/idea/20015/

> Script to automatically add keys for PPAs: https://code.launchpad.net/~oldman/+junk/launchpad-update

There's also a perl script: http://ubuntuforums.org/showthread.php?t=1056099