Re: Handling of removed packages
CCing debian-dpkg for obvious reasons.
On Thu, 2008-05-29 at 14:18 +0200, Stefano Zacchiroli wrote:
> On Thu, May 29, 2008 at 01:24:59PM +0200, Marc 'HE' Brockschmidt wrote:
> > The probably easiest way would be to make apt whine on all packages
> > that are not available in any version at one of the locations
> > specified in sources.list. This trivial solution sucks, because
> > locally created packages [1] also fall in this category.
>
> Thinking at why this solutions sucks (it does), it occurred to me that
> the reason is we don't have a ready to use easy way to let our users
> install packages "properly", that is: only via entries in sources.list.
> This is way they^W are using "dpkg -i".
Using `dpkg -i` really is insane as far as security is concerned :
people install Acrobat, Opera, Flashplayer, w32codecs and others
manually, then simply forget about it.
I know that's exactly what people do in some proprietary operating
system but still, that's insane.
I suggest to modify dpkg so it refuse to install package, unless the
option "--insecure" is specified. Such option's manpage description
would be :
> dpkg --install --insecure package_file...
> The option --insecure is now mandatory to install a ".deb" package.
>
> Installing a ".deb" file manually is considered a bad practice (i.e
> insecure), because the package wouldn't be updated when the maintainer
> release a security update.
>
> Instead of downloading and installing a .deb file, you should declare
> it's apt repository. This is done by adding the package's repository
> to /etc/apt/sources.list or /etc/apt/sources.list.d/. See
> sources.list(5).
* This option would be an effective solution to educate new users.
* For the same reason, we should remove gdebi's "Install" button.
I suggest Proposed manpage improvement for this option :
Franklin
Reply to: