Summary

Apturl currently does not allow adding new repositories for security reasons. This limits its usefulness, there are certain repositories that show high quality and good QA. So we should add a whitelist feature to apturl so that we can add trusted repositories. The criteria/policy that such a repository must follow is discussed in the separate blueprint "partner-repositories".

Release Note

TBD

Rationale

There are repositories with good QA and high standards (like the Canonical partner repository) that are useful to add via apturl.

Use Cases

  1. Jane wants to install the Adobe Flash plugin from the partner repository. She goes to the Adobe site and clicks on the "Install Flash" button that calls apturl with the right parameters. The partner repository is added and Flash is installed with a single click.

Assumptions

We only add repositories that are high quality and have a good QA record.

Design

Apturl will use the "channel" mechanism that gnome-app-install uses with the app-install-data-partner package. A new key is added to the apturl URL spec named "channel" that gets a "value" that denotes to the channel that should be added (if not already there). E.g. "apturl:adobe-flashplugin?channel=$distro-partner".

In addition two new substitutions will be added: $distro which will be expanded locally to the value of the currently installed distribution codename (lsb_release -c -s), and $kernel which will be expanded to "uname -r". This is useful because the distro codename is part of the partner repository name.

Implementation

Steps to implement:

  1. add "channel=value" to apturl parser and GUI
  2. implement the substitution
  3. rename "app-install-data-commercial" to "app-install-data-partner" to reflect the status better
  4. put the trusted repo sources.list and signing keys into app-install-data-partner

UI Changes

None

Test/Demo Plan

Add the channel to http://people.ubuntu.com/~mvo/test/apturl.html and write unit tests for the substitutions and the channel adding.

Alternate/Additional features

Instead of a whitelist, popup a warning and let the user decide.

A website is attempting to add a software repository to your system. If you did not specifically intend for this to happen it may be an attack. Please review the information about the repository below before allowing it to be added:

Origin: http://www.macroshystistrustworhty.com

deb line: deb http://www.macroshyst.com jaunty main

Repo info: Lots of trustworthy software

Key info: Macroshyst, Inc (you can trust us) <info@macroshyst.com>

Key: 1UFS4E5RAS2SCU5C5K5A8NFDFSAH9O4U5L6DBWCO8R8S7H2I3PFUFS

[x]Do not import key

deny

allow


CategorySpec

FoundationsTeam/Specs/JauntyAptUrlAddRepo (last edited 2009-05-10 21:01:58 by zerothis-uvl)