Blog Post

My thoughts about Apt URL

  • Everything you need comes on one CD
  • Ubuntu is designed with security in mind

Both of the above lines were taken from the What is Ubuntu? page on the Ubuntu website. If this is still true, then we don’t need Apt URL do we? If it isn’t true, and we do in fact need something like Apt URL, shouldn’t these 2 lines be removed from the website?

The need for Apt URL simply tells us that Ubuntu doesn’t have everything you need on one CD. In the AptURL Policy Discussion blueprint on Launchpad, Rick Spencer states the following:

It should be much easier than it is for developers to get their apps to users, and it should be much easier for users to install such software. PPAs is potentially a good way to do this. Finding PPAs and exchanging keys should be much easier.

I couldn’t agree more, and can see how AptURL might actually work for this. But. Of course there is a but, otherwise this post would be more useless than it probably already is. The developers of the software that must be easier to get, should probably communicate with the distributions a bit, let us know they have a new release they would like to get into Ubuntu or they have new software. If we can’t get the software into the current release or the next release, then a PPA is perfect for this. But instead of me, Martin Owens, or anyone else for that matter, publishing software to a personal PPA, why not have the teams do it instead? The Kubuntu Team has a PPA, and I know a lot of the other teams do as well. Why don’t these teams publish it into their PPAs? This way here we don’t have to worry about the whole trust thing. With it going into a team PPA, the chance of more eyes seeing it before it is released to the masses is higher than it would be if I were to package and upload to my PPA. Using Launchpad, put a Apt URL button, similar to the One-Click buttons that openSUSE uses, on the team’s PPA page, if we really need Apt URL that bad.

The whole security minded thing was added because I can’t think of one way to really make this whole Apt URL thing secure, can you? GPG keys won’t do it, creating some network of trust won’t do it? Look at the sites that allow developers of Mac OS X and Windows software to distribute their stuff, do you see “This person is in our web of trust”? No, what you might see is a list of comments, and after a product has enough comments, it can get that whole “Preferred Developer” type of tag added to their name. Kind of like Pirate Bay does with people who distribute stuff there. They use a skull and a color to represent people of trust or good faith, which is kind of odd. At first I saw the skull and thought, oh stay away from that one. Security will always be a bitch with Apt URL. I was looking to see what kind of policy openSUSE had with One-Click stuff and I couldn’t find anything. Did they realize it was a “Use at your own risk” type of deal instead of spending the past 2 or 3 development cycles trying to figure out a policy that just isn’t there?

The fact that it is considered not easy to add a 3rd party repository should speak volumes in itself. We want to protect our users any way we can, and Apt URL will prevent us from doing so, from what I have seen thus far, you could of course prove me wrong and I hope that happens, soon! If a user doesn’t understand how to add another repository, should they really be trying to add it all? What is the reason for them trying to add another repository?

Is it because:

  • The package isn’t available in Ubuntu?
  • The package is outdated in Ubuntu?
  • The package is broken in Ubuntu?

If you answered yes to any of these, then your excuse of using Apt URL is nothing more than a band aid for problems in Ubuntu. But the package isn’t available in Ubuntu. Did you or anyone else file a bug to get the package in Ubuntu? No? That is definitely a reason why it isn’t in there, but I can understand this. Maybe you don’t know how to file a bug, and if this is the case, then maybe we should spend time somewhere else instead of Apt URL so we can make that process even easier, because the ability to file a bug is far more important than the ability to add a 3rd party repository that is loaded with candy from a stranger. How about the bug is filed, but nobody is looking at it? That is a problem with Ubuntu, so maybe we should spend time on figuring out how to fix this? How about it is packaged and sitting in REVU which nobody has looked it since September or something? Yet another problem with Ubuntu, and something we need to spend time on. The list can continue and cover an outdated and/or broken package as well.

Are people pushing Apt URL as a band aid for Ubuntu? Will Apt URL really make it easier for software developers to push their products to the public? Fill me in, what am I missing? Why is Apt URL so important?

Addition: Wanted to also note, that I don’t think apt-url will fix the issue of getting the latest software out there or fixed software much better than it already is. If Ubuntu is experiencing problems that are causing this band aid to be created, then what are we doing to do in order to provide another band aid when the people running these “whitelisted” repositories start to dry up? If these people running these “whitelisted” repos can contribute to their own repo, why can’t they contribute to ours? Shouldn’t we be trying to recruit these people? Shouldn’t we be trying to hold on to the ones we have now?

This entry was posted in Application, Linux and tagged . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.
  • I agree. I tried to create a long well thought out answer but it just didn’t make sense.
    So I’ll make it simple

    I agree

  • Jonas

    I couldn’t agree more. I don’t like the idea of AptURL anymore than I like Suse’s one-click install. Convenient, yes, but potentially a disaster.

    And no, not necessarily because the package the user in question wants is packaged the wrong way (i.e. is installed in the wrong place, or with the wrong permissions). That’s a pitfall to be sure, but personally I’d be more concerned with the ppas (or the more or less equivalent home: directories for suse-devs/users) containing upgrades to _other_ packages that may break other parts of the system. Say an upgrade of Python that the user may not necessarily know what it even is until that upgrade breaks something he or she relies on.

    Ideally, it should NEVER be needed to add third-party repos to any distro – and that includes repos “everyone” adds such as medibuntu. Yes, I realize that’s not likely to happen but one can dream…

  • Tim

    But what if people want to really new software on older releases?

  • Jason Taylor

    # The package isn’t available in Ubuntu?
    Your answer is file a bug… then wait 6 months and hopefully it might work?
    I dont want to wait 6 months !!!

    # The package is outdated in Ubuntu?
    Happens all the time eclipse / monodevelop, can you say intel driver?

    # The package is broken in Ubuntu?
    This seems to be rare and will usually get fixed fairly quickly, but again I dont usually want to wait

    I think the real issue its to hard to get end user applications (not talking about low level stuff like kernel or network manager type things) into ubuntu outside the 6 month sync … applications like banshee (1.5 released today) will never make it into jaunty so its use a PPA or wait 5 months. PPA’s solve this I dont think the central repos can…

    Maybe popcorn data should be collected on PPA’s to see whats popular that would highlight the need that the repos arnt meeting

  • @Tim – then Ubuntu needs to do something to make that happen, we shouldn’t make you depend on someone else to provide that for you.

    @Jason – like I said, everything you just explained proves that apt-url is nothing more than a band aid for Ubuntu development. Ubuntu shouldn’t make the users depend on someone else. My answer wasn’t to file a bug, I was using that to show that Ubuntu development has cracks that need to be fixed, not patched or plugged.

    If Ubuntu decides to use apt-url, then I think the teams that are responsible for that software should manage the repos, and not some John Doe character. Maybe this is also an issue with a release cycle. You don’t see these issues with distros that have rolling releases do you?

    apt-url isn’t going to fix the problems either, because you may get your eclipse or monodevelop, but I might not get this or that. It is still going to happen, maybe just not as often or as much that it is happening now.

  • ethana2

    We need to combine brainstorm with launchpad so people can vote on what needs to get into ubuntu and they can be packaged one by one, by the highest number of (maybe weighted?) votes.

    They can’t just be a bunch of packaging requests floating around out there. At any time, there should be ONE that is the next one up to be packaged and pushed into backports.

  • ethana2

    Bounties built into launchpad would be great too. I bought an Ubuntu Dell. I bought an ubuntu hoodie. I bought ubuntu stickers. Why can’t I buy my bug fixed?

  • ethana2

    ..sorry to post three times, but I’m accustomed to using an apt line for EVERY piece of software I care about at all because of how old the ubuntu version is.
    WINE, Midori, Miro, Kdenlive, gnome-globalmenu….. many others.

    I’m probably more frustrated by this whole deal than most. I probably won’t bother with gpg keys anymore, too much of a hassle.

  • @ethana2 – You are right about the package requests, look at Debian’s request for packaging list on wnpp. Holy cow, and people think Ubuntu has it bad (including me I guess). Launchpad used to have a bounty system but they removed it for reasons I don’t even know. I am not sure many people were using it. As for Kdenlive, just pushed the latest to Karmic :p Sorry, didn’t mean for that to sting because I said Karmic and not Jaunty, Intrepid, or Hardy. Obviously you have thought about it as well and I think your reasoning is great, and definitely has a stronger and definitely safer foundation than apt-url does.

  • OK, my buddy Jordan let me know they removed the bounties because they didn’t work. That’s ashame, though I am willing to bet a bounty system might work better today than it did 4 years ago.

  • I’m a bit conflicted on the whole issue myself. While there’s a lot to be said about rolling-release distros, one of the main reasons I fond myself using Ubuntu is that I think its has a great balance between stability and keeping up-to-date. Yet, I still find myself backporting things for myself and using PPAs. I guess part of that is my switching back and forth between my testing installation and my stable release. Often I don’t want to give up the neat little new feature I found.

    Also, the reality is that the same people willing to use Linux on the desktop are those that want to try new things. But sometimes I wonder if the people that we always hear complaining about not having the newest releases of certain things are just a very vocal minority. I don’t know….

    Maybe we should be throwing more effort into the official backports repository? Though, one obvious problem with that is that it would pull developers from working on ubuntu+1. Community members can request and test backports, but they still require an ACK from a member of the backport team and the intervention of an achive-admin. Honestly, I’m still a bit confused by the process in some ways. Looking at the membership list of ubuntu-backporters (https://edge.launchpad.net/~ubuntu-backporters/+members), it’s a pretty small team. But there are multiple MOTUs sitting in the proposed members list.How does one get involved with that team? There doesn’t seem to be a mailing list or wiki page for the team.

  • You are my hero!

  • @andrewsomething – you are just poping up everywhere on my radar recently 🙂 I am kind of with you as well, as I could very well be 50/50 on the issue, just as long as it isn’t a band aid. As for the backports team all communication is done via the MOTU mailing list and the #ubuntu-motu IRC channel. We should be utilizing backports, but you are right, pulling more people into it takes people away from ubuntu+1, so there also seems to be a crack in recruiting new developers as well. I have been a member of the MOTU council now for the better part of a year or so, and have got to watch a lot of people apply for MOTU and such, but the one thing that stands out, is that there really aren’t that many people applying. Another problem is we have lost quite a few of our older developers. Older not as in age of course 🙂

    I think something like we are talking about would have been better discussed at UDS than some of the topics I followed.

    Look, the community has so many bright people, but I feel we may not be utilizing some of them to their potential. Another thing I recognize is that this is a hard thing to fix because in the open source world, people would rather have a leader than a manager. I feel that there needs to be some management, but I recognize at the same time that it would turn off quite a few people, therefor causing us to possibly lose more while at the same time not being able to recruit new ones. The open source world is a beast, a very big beast that isn’t always the easiest to control. The open source world in my eyes has sucked horribly at 2 things for the past 15 or so years that I have been involved.

    1. Marketing
    2. Management

    If I could come up with a 3rd M, we could have the 3 M’s :p

    The reasoning marketing has sucked is because developers can’t market and I don’t expect them to be able to market.

    The reason for management is because if you start managing in a business like environment, people are like what the hell and split. People volunteer and do their own thing at times, and this kind of hurts open source more than it does helping it.

    This is also something many distributions haven’t worked with over the past 15 years, and I am hoping that Canonical might be able to shed some light. Canonical has some really great business savvy people, so I know the talent is there to at least curve this evil spiral.

    Then again, maybe I shouldn’t let my business education interfere with my open source involvement to much either 🙂

  • @Daeng Bo – you are my hero dude, keep on rocking your blog! I really enjoy it!

  • Glad I got you talking about the problems.

    There may be problems in Ubuntu, but the way your talking about software it’s as if there is only one authority that could ever possibly provide software for all users… Just what kind of a society do you think we live in?

    No, the community of software is bigger than main and universe and it’s about time you released that we need people to have their own software delivery methods if we are to decentralise some of this stuff.

  • @Martin – I know there isn’t one authority nor would I ever act like that. People can have their own software delivery methods and I know sites such as kde-look.org and kde-apps.org offer up more than a tarball these days. We are talking about giving people the ability to click on a link that will add a new repo to their sources.list. People are also talking about putting together a whitelist of trusted repositories. This whitelist isn’t putting the software delivery methods in the hands of the developer either. Your GPG idea doesn’t put the delivery methods in the software developers hands either, because what if they don’t have a GPG key? what if nobody has signed it? What if that developer is locked in his parents basement doing this stuff for fun and doesn’t get out to the various events and what not to have his key signed? Now what? If the GPG way were even close to being a correct way to determine trust, guess what? The same people who are packaging for Ubuntu are going to be the same ones providing repositories.

    Apt URL is not a solution. Apt URL is nothing more than the same stuff that was Automatix. We all shit ourselves over Automatix because where was the trust in where they were getting the software, besides the fact their scripts were just flat out dangerous.

    The only thing you are really proving is that we need a single package management system. One package manager to rule them all!

    If a developer writes a good app that more than just that person uses, and say a few people use, typically one of those people will try and get it into their distros repos.

    For reiteration, Apt URL will create more problems than it will fix.

  • Also wanted to add the following.

    How come those who are packaging this stuff and putting it into another repository can’t put in the Ubuntu repositories? This is another thing that flaws the entire reasoning behind apt-url.

    Also providing apt-url to packages that could or should be in the Ubuntu repository is a slap in the face to MOTU and Core Developers. How so you are probably asking? Easy, MOTU and Core Devs go through a process in which their abilities are screened to make sure they have the right to commit and upload packages. By providing apt-url to allow others who didn’t go through the same process that MOTU and Core Devs have, is pretty much like saying, “You wasted your time, you could have just setup your own repository and you will get whitelisted and blah blah blah.”

  • Flimm

    Proprietary applications like Skype would benefit by having apt-url, since they often can’t get into restricted or multiverse repositories.

  • Omer

    I agree with most of what you say here, but there are still problems that cannot be addressed by the current system. Take Skype for example. Canonical refuses to package Skype because it is closed source and has a proprietary protocol. Unfortunately, many non-advanced users want, and should be able to easily get Skype. Right now they have two options- either they download the package directly from skype.com- as insecure as apturl but not as easy- or they install the mediabuntu repository- something far from intuitive and obvious. It seems like current efforts are devoted to making apturl more secure so that users can do this sort of thing with decent peace of mind. It may be possible to create a “restricted” repository in the same manner that we now have “restricted” drivers. This, of course, would take a lot more effort than the decentralized apturl system being proposed.

  • I think two slightly different issues are getting merged here:

    1. use of apt-url, and
    2. easy addition of ppas (or other archives) to software sources

    As I understood some of the discussions from UDS, (1) should be very very very restricted – as clicking on links in a browser to install software OR add repos is not a good thing to encourage (same goes for .deb files). So the white-list might allow 3rd-party proprietary software such as skype or adobe reader to be added easily.

    Regarding (2), yeah, the challenge is whether this can be done securely. Another use-case would be for beta software (such as nightly-builds, although perhaps that’s what you were refering to with kde above). I’ve put up an idea building on Martins mockups (but trying to remove the gpg-identity confusion noted in the comments there)… see trusted software archives if you’ve time.

    Either way, I think apt-url is only an intermediate solution… so in the long-term something like an ‘appcenter-url’ which can open up the app-center application so that all software installation is done in the one place (and it’s obvious to the user what’s going on etc.)

  • In the instance of Skype, will someone explain to me why it can’t go into multiverse? It isn’t like Ubuntu doesn’t already have proprietary stuff already packaged in this repository as well as the Canonical repository. If there is some reason I am missing here, then I could understand Skype, but does Skype even have a repo? All I can find are just .deb files from them.

  • If more stuff went promptly into backports (and there was a beta-quality backports repo for—e.g.—Banshee 1.5.x), then there’d be no problem on the outdatedness front.

    And we need to make it as easy for developers to get their software into universe as it is to set up a PPA. (gnome-globalmenu is an example here.)

    (Also, the alternate text for your browser-and-OS sniffer is wrong: nixternal is Using Mozilla Firefox Mozilla Firefox 3.0.10 on Ubuntu Linux Ubuntu Linux. As these icons are decorative, only alt="" is correct.)

  • @Greg – you are correct about backports there, it would be nice to see it get utilized more.

    Thanks for the tip on the sniffer thing as well. I will take look at it.

  • @Greg – fixed the alt=” 🙂 thanks again

  • yman

    Repositories can be implemented in a less centralized way. For example, If repositories had permissions (Install new packages? Update it’s own packages? Update other repositories’ packages? “Steal” ownership of packages it updated? Allow other repositories to update it’s packages?) then packages could specify the repository they belong to, so they can receive updates, and it can be done in a manner completely transparent to the user. It would also be nice if there were “meta-repositories” that listed the apt line that corresponds to each OS release. For example:
    deb http://packages.medibuntu.org/ hardy free non-free : Ubuntu : 8.04
    deb http://packages.medibuntu.org/ intrepid free non-free : Ubuntu : 8.10
    deb http://packages.medibuntu.org/ jaunty free non-free : Ubuntu : 9.04
    These meta-repositories can also include the scripts necessary for transitioning from one release to the next. Like this the correct repository for the release can be selected automatically and even 3rd party repositories can properly participate in dist-upgrade.

  • Why should be people interested in software distributed in general bind to the universe/MOTU process/policies for software distribution? The Ubuntu distribution contains a specific core of packages and a limited snapshort of the open source universe, there are needs/interests outside of that limited universe, please do not try to restrict other people ability to use software from the real universe just because you lack the man power to extend the limited universe.

    What is your problem with someone, either individual or a team providing packages for whatever reason they feel appropriate (newer versions, different build options, whatever) as long the users have a clear understanding that those packages are provided by a different team/person and the associated risks ?
    It is not a security related problem (you can already single click .deb install), so yes, it is all a matter of trust.

    Please continue doing your great work maintaining the universe and stop wasting time blocking others from following their route.
    Acknowledging that you do have a developers/manpower problem and then trying to address it by adopting locking in policies is something that does not work on the opensource world.

    The proposal to provide a way to easily install packages PPA’s is a technical solution for software distribution using a trust model, there are plenty of scenarios for which makes sense to use/install packages that must not/should not be on the official repositories. Working around some “universe” limitations is just one of those scenarios.

  • @João Pinto – I have no problem with it. Apt URL is there, use it, but when your system gets trashed don’t get mad at me for laughing. I am saying that Ubuntu shouldn’t be wasting their time looking for a way to implement it. According to the people who are working on this whole ridiculous Apt URL policy, they want to have a whitelist, so in fact they are blocking you, not me. I say put Apt URL there for any and everyone to use, BUT! Don’t come knocking for support. This was the same bull that happened a couple of years ago with Automatix. It is going to just take a few thousand people to trash their system with this stuff and guess what, it will get removed.

    This whole trust model is flawed, it is preventing you, or blocking you, as you said I was. There is no way to protect the users when you allow them to easily start install applications from elsewhere. Apt URL is a security nightmare, hell it is a support nightmare.

    If people can package their apps for their own repository, then why can’t they package for Ubuntu? That is what I want to know. Apt URL wouldn’t be needed if these people didn’t alienate themselves that way. If you are a software developer and you want your stuff pushed to the masses, you don’t keep it all to yourself in your own repo.

    Thus far, every argument I have heard was dead from the first sentence. Right now it is obvious that there should be no policy for Apt URL, it should be “Use at your own risk and do not expect support.”

    And the first person that comes in and says, “Hey, I added this repo, and now someone keeps logging in and deleting this or that, or my system is hosed.” I am seriously going to laugh at them, the same exact way I laughed at those who used Automatix.

  • Pingback: nixternal » Apt URL Part Two()

  • “If people can package their apps for their own repository, then why can’t they package for Ubuntu? ”
    There are multiple reasons that I ca think of:
    – provide versions which do not meet the SRU policy,
    – provide versions with specific features/options that are not enable/available on the official packages
    – provide packages which were/will not get into the archive for the current development cycle – you know there is a problem here, until it’s fixed PPAs work just fine
    – ideological reasons, centralized package management is not necessary friendly/helpful for software authors

    “Apt URL is a security nightmare, hell it is a support nightmare.”
    Why is it a security nightmare ? Do you on universe uploads check every package source code for security related concerns, or , you just trust the software author, and let other people trust in you ?
    If another party uses the sames sources you do, and is trusted by the same people you are, where is the security issue ?
    Please do not fool yourself by assuming that your stricter/longer process ensures more security on the provided packages.

    The project I am a member of as been providing thousand of packages for the last 3 years, I have no complains about our packages resulting int support effort for the Ubuntu community, actually it is the way around, they help by addressing some support issues. Feel free to point me to bug reports that state otherwise. Why should PPAs cause a support problem ?

    Please do not insult PPA providers with your constant comparison with automatix, automatix problem was not it’s ability to provide software out of the repositories, but the way it did it from a technical perspective.
    You could look into opposite example of envyng, it started also with just a script installing driver versions out of the repository, but because it was properly improved it lately became integrated into the repositories.

    PPAs when properly used can provide packages the same quality or even better when compared to the official repositories, also they provide the advantage that you the universe maintainers can easily grab the debian source control from there and just upload into universe.
    When improperly used they pose the same risks as installing a .deb package or just executing a random script copied from a web page, the trust model minimizes this risk.

    Again, do not mix the ability that trusted people/teams should have to distribute software with an explicit approval from the user, with the “universe” inability to provide that same software. APT URL improvements goal is to provide the first, not to resolve the second.

  • Pingback: UbunTube » Richard Johnson: Apt URL Part Two - 8985th Edition()

  • Pingback: UbunTube » Richard Johnson: Apt URL Part Two - 9505th Edition()

  • Being the maintainer of allmyapps, a website which relies heavily on apt-url, I thought I’d share my opinions on apt-url.

    In my opinion, apt-url is in its current state nothing more than a cool tool that enables some creativity above repositories and this is exactly what we’re doing at allmyapps. apt-url is limited by the repositories and this is a Good Thing! This is why it works so well and why we use it. The repositories paradigm we use in the general Linux / OSS ecosystem is what protects users from Bad Things happening.

    In my opinion, apt-url is not the right place to try to solve the 3rd party application installation issue. Of course, from the allmyapps perspective, one could think I would prefer my users having the ability to easily install external stuff from apt-url as it would enable us to propose more applications to the allmyapps users. But in fact, this is not how we think because what is important end of the day is to protect users who have no clue of what they are doing. We want them to know that using allmyapps is safe… and this is why we love apt-url the way it is today.

    Enabling easy external application installation directly from apt-url would be a mistake imho. Official repositories are like a castle walls, you can choose to live outside and enjoy more freedom but then do not come back and cry when you get attacked.

  • Pingback: Meine Links der Woche (III) | Linux und Ich()

  • Subscribe to nixternal.com

     Subscribe in a reader

    Or, subscribe via email:
    Enter your email address:

  • Archives


semidetached
semidetached
semidetached
semidetached
%d bloggers like this: