I'm sorry, but this bug is all over the place. Initially it was 'make gdebi harder to use' but it has morphed into a wishlist of desired behaviors for gdebi leading to a situation where there is no way to address this bug.
Any user who downloads a deb file and runs gdebi on it is explicitly trusting that file to do *anything and everything* as root. If we put in some mechanism for gdebi to alert if something is added to sources.list or /etc/apt/sources.list.d, the maintainer scripts could easily subvert it (eg, add something to cron, at, etc, etc), not to mention the binaries themselves. My feeling is the gdebi portion of this bug should be marked "Won't Fix" as there won't be a reasonable way to protect a user from untrusted debs. Forcing the user to download a file from firefox onto the desktop and then double clicking it to install via gdebi seems specious and not real security. The user downloading the deb will dutifully jump through that hoop without a second thought. Michael, please let me know if I'm missing something in my analysis. If not, I suggest marking as Won't Fix and possibly (though I don't think we should) open another Wishlist bug against firefox requesting gdebi not be called by firefox. ** Changed in: gdebi (Ubuntu) Status: Confirmed => Incomplete ** Changed in: gdebi (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- Make gdebi harder to use (was: Disable support for adding repositories) https://bugs.launchpad.net/bugs/139227 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs