Ubuntu
nautilus-dropbox package

Bug #909488
Comment #7

Comment 7 for bug 909488

Revision history for this message

Steve Langasek (vorlon) wrote on 2012-03-07:

Hi Raphaël,

At Jorge's request, I've had a look at the nautilus-dropbox package in precise. There seem to be two main differences between the upstream package and the one included in precise.

- The precise package stores dropboxd in a central location instead of keeping one copy per user. This is in principle the preferred way to do so in the distribution, but has the side effect that users who don't have admin privileges are unable to ever get updates. Unless an admin user runs 'dropbox update' for them, or there is an upgrade of the package, the user will then be using an out of date and possibly insecure version of dropboxd.

- The precise package drops the maintainer script code to automatically add an apt sources entry for the dropbox upstream repository. This is obviously the correct thing to do for a distro package; packages in the distro distribution channel should not be automatically enabling third-party repositories, and while it's understandable that third parties would do this in their own .debs because it's the least-bad available option for ensuring software updates for the user, it does distinctly undermine the security model of the distribution (cf. the session at the UDS discussing this and related issues). Nevertheless, the result of not enabling this repository is that users of the distribution package only get updates when a distro maintainer uploads them. That leaves the users dependent on Ubuntu for security updates to the package as well, and there has been no committment in Ubuntu to *provide* those security updates in a timely fashion. (Indeed, it's not clear that such updates would comply with our policies for such.)

As a result, despite the changes to the package all being sensible things to do on their own, the net effect is that the user experience when using the distro package is worse than if they had downloaded it from the dropbox website. Since the reasons for this are rooted in fairly fundamental policies of the archive, I think this is pretty clearly a case where Ubuntu should blacklist the nautilus-dropbox package in favor of the upstream one.

Do you see any reason this should not be the case?

Hi Raphaël,

At Jorge's request, I've had a look at the nautilus-dropbox package in precise.  There seem to be two main differences between the upstream package and the one included in precise.

- The precise package stores dropboxd in a central location instead of keeping one copy per user.  This is in principle the preferred way to do so in the distribution, but has the side effect that users who don't have admin privileges are unable to ever get updates.  Unless an admin user runs 'dropbox update' for them, or there is an upgrade of the package, the user will then be using an out of date and possibly insecure version of dropboxd.

- The precise package drops the maintainer script code to automatically add an apt sources entry for the dropbox upstream repository.  This is obviously the correct thing to do for a distro package; packages in the distro distribution channel should not be automatically enabling third-party repositories, and while it's understandable that third parties would do this in their own .debs because it's the least-bad available option for ensuring software updates for the user, it does distinctly undermine the security model of the distribution (cf. the session at the UDS discussing this and related issues).  Nevertheless, the result of not enabling this repository is that users of the distribution package only get updates when a distro maintainer uploads them.  That leaves the users dependent on Ubuntu for security updates to the package as well, and there has been no committment in Ubuntu to *provide* those security updates in a timely fashion.  (Indeed, it's not clear that such updates would comply with our policies for such.)

As a result, despite the changes to the package all being sensible things to do on their own, the net effect is that the user experience when using the distro package is worse than if they had downloaded it from the dropbox website.  Since the reasons for this are rooted in fairly fundamental policies of the archive, I think this is pretty clearly a case where Ubuntu should blacklist the nautilus-dropbox package in favor of the upstream one.

Do you see any reason this should not be the case?

Ubuntunautilus-dropbox package

Comment 7 for bug 909488

Ubuntu
nautilus-dropbox package