Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.


It should be possible to install software in a safe and supported way over a website. This allows us to provide more dynamic content and richer metadata (like screenshots, comments) than with traditional client applications and to better support Launchpad's new personal package archives. To achieve this, a new "apt://" protocol will be created that allows giving commands to apt/synaptic.

Release Note

The apt-firefox-archive-plugin feature allows users to install software via simple websites in a safe and supported way.


People use to install software just clicking on a URL. Softonic, Tucows and others, list lots of applications that users can easily add to their Windows boxes. The linux way is not that easy.

An Ubuntu distribution has got a defined repository with loads of software, but users need to use a specific software installer (gnome-app-install, synaptic) to add more software.

Use Cases


The apt protocol should support the following actions:


The default internet browser will call a external application whenever an apt:package_name url is clicked. It adds the complete url as an argument to that external application. The external application will then do the equivalent of apt-get install $package_name (using synaptic or adept_batch as its backend)

The new protocol will follow (STD66).

In its easiest from, the new url will be formatted:


We are not linking a .deb file, just giving the name of the package to an external application. By default the syntax will be not hierarchical, but to stay compatible with Guadalinex a hierarchical argument will be supported as well (apt://pkg_name will also work).

In addition to this, a syntax will be supported to install applications that come from repositories that are not in the current sources.list. This synatx will follow the following style:


The keyfile will be searched in /usr/share/app-install/channels. If no keyfile is given it is assumed that the repository is authenticated with the default key. If the repository can not be authenticated it will not be added and no packages get installed.

If the repository is not already in the sources.list the UI will ask if the repository should be added permanently or just temporarily. The package is then installed. If no parameter is given it is assumed that the distro is set to "/". The line above expands to:

deb /

The parameters "dist=foo" and multiple "section=bar" are supported as well. So apt+ expands to a sources.list line like this:

deb feisty foo bar

Additional a parameter minversion=x.y will be supported. This enables us to build webpages about packages that describe new features and provide a quick "install now" link. If (for some reason) the minversion is not available the user will not be disappointed that the package he installed does not actually support the advised features.




The handler will be installed into /usr/share/firefox/defaults/prefs/apt-archive-handler.js as an additional configuration file. The whole application will done as a new package with some python clue code (gapti/gdebi will be reused as much as possible or even merged if that is feasible).

A similar mechanism is implemented in Guadalinex, the file /usr/lib/firefox/firefox.cfg was modified to achieve the same goal, and a perl script was added to parse the url, and call synaptic. We will provide compatibility with their syntax.

The current set of commands is limited on purpose. Actions like "update", "upgrade", "dist-upgrade", "remove" look not useful or plain dangerous. We may expand the syntax later to support multiple packages separated by ",".


With the above design the security implications are small. All software comes from trusted repositories, it is only possible to add repositories that have a keyfile that is already available in ubuntu already (e.g. in the app-install-data-commercial package).

A possible attack vector would be to trick users to install a application with a known vulnerability or to install applications that open a port.

Future Work

The approach to allow only adding repositories with already available keys limits this protocol for third party vendors. We could consider extending the specification in the future to have a command like "add-repository-unsafe" if that is a desired goal, or have a new apt-protocol: handler.

Releated Work

A similar approach using a command file instead of a protocol: and

The svn for the Guadalinex implementation:

svn co


The current set of commands is limited on purpose. Actions like "update", "upgrade", "dist-upgrade", "remove" look not useful or plain dangerous. We may expand the syntax later to support multiple packages separated by ",".


AptFirefoxFileHandler (last edited 2009-07-22 05:47:36 by claysmalley)