Hi Jeremy, On Tue, Mar 14, 2017 at 04:03:24PM -0400, Jeremy Bicha wrote: > On Tue, Mar 14, 2017 at 1:01 PM, Steve Langasek > <[email protected]> wrote: > > Obviously we have good reason for a policy that third-party repositories and > > code update mechanisms are not allowed for Ubuntu at large. In this case, I > > believe it's acceptable because:
> I thought I should mention steam then. I believe the 'steam' package > is just a bootstrapper to download the latest steam client to ~/.steam > and run it from there. It will also update itself when launched. > 'steam' is in multiverse and so far has mostly only been minimally > maintained in Ubuntu to keep it fake-synced with Debian. Thanks. I think this is mostly a matter of me simply misstating the actual policy rather than something we need to change in the steam package (though boy, it sure would be nice if there was an easy index to past TB decisions!). I also may be imagining policies around some of these things that may have actually been Debian policies rather than Ubuntu policies. There are a number of packages in the archive which support downloading code under a user's direction, and then running that code, as a user. We have a policy for the desktop that specifically disallows downloading of arbitrary code from the Internet with a web browser and auto-executing it; but we also support download of plugins from the browser's plugin store, where the browser verifies the authenticity of the plugin, downloads it, and executes it in its own runtime. steam parallels this: downloads are entirely user-directed, and the user opts in to using the steam client. What we have said is that we do not allow official Ubuntu images to enable third-party apt sources which potentially muddle the provenance of every package on the system. That was not a blanket statement that nothing installed at the system level could pull code from places other than the Canonical-signed archives; but I think any package that does this should be assessed case-by-case. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [email protected] [email protected]
signature.asc
Description: PGP signature
-- technical-board mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/technical-board
