[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Handling of removed packages

CCing debian-dpkg for obvious reasons.

On Thu, 2008-05-29 at 14:18 +0200, Stefano Zacchiroli wrote:
> On Thu, May 29, 2008 at 01:24:59PM +0200, Marc 'HE' Brockschmidt wrote:
> > The probably easiest way would be to make apt whine on all packages
> > that are not available in any version at one of the locations
> > specified in sources.list. This trivial solution sucks, because
> > locally created packages [1] also fall in this category.
> Thinking at why this solutions sucks (it does), it occurred to me that
> the reason is we don't have a ready to use easy way to let our users
> install packages "properly", that is: only via entries in sources.list.
> This is way they^W are using "dpkg -i".

Using `dpkg -i` really is insane as far as security is concerned :
people install Acrobat, Opera, Flashplayer, w32codecs and others
manually, then simply forget about it.

I know that's exactly what people do in some proprietary operating
system but still, that's insane.

I suggest to modify dpkg so it refuse to install package, unless the
option "--insecure" is specified. Such option's manpage description
would be :
> dpkg --install --insecure package_file...
> The option --insecure is now mandatory to install a ".deb" package.
> Installing a ".deb" file manually is considered a bad practice (i.e
> insecure), because the package wouldn't be updated when the maintainer
> release a security update.
> Instead of downloading and installing a .deb file, you should declare
> it's apt repository. This is done by adding the package's repository
> to /etc/apt/sources.list or /etc/apt/sources.list.d/. See
> sources.list(5).

* This option would be an effective solution to educate new users.
* For the same reason, we should remove gdebi's "Install" button.

I suggest Proposed manpage improvement for this option :


Reply to: