On Tue, 09 Jan 2007 21:09:11 +0100, Reinhard Tartler wrote: > "Thomas Leonard" <[EMAIL PROTECTED]> writes: > >> I uploaded a package for Zero Install back in Oct 2006: >> >> http://revu.tauware.de/details.py?upid=3885 >> >> I got a comment on Dec 20th to update the version number, which I've done. >> >> Do I need to tell someone about this (e.g. write to this list), or do >> reviewers get notified automatically? How long does the process normally >> take? > > Apart from the package quality (which I'd consider okay), I had a look > what 0install actually does. It seems to me that 0install is similar to > autopackage, a project I have strong reservations with. I fear that this > tool has to potential to badly break an user account.
I think you'll find the security model is rather different in Zero Install. In particular, it should never "break" a user account, since it only ever writes to the directories ~/.config/0install.net and ~/.cache/0install.net (which I presume Ubuntu isn't using for anything else ;-). > Furthermore, I have some security concerns (who validates/authorizes a > signature from one upstream). The user installing the software, assisted by a "hints" database of known keys. While you can try to protect users from installing malware, at the end of the day it *is* their computer, and they have to make the final judgement. Note that, unlike dpkg, Zero Install doesn't run any scripts as root, or copy files into /usr/bin, etc. So, from a security perspective you should compare a user installing with Zero Install vs installing to $HOME without it. > What happens, if a library is pulled via 0install, and later installed > via apt-get? APT will place one copy in /usr/lib, which will be used by programs installed by APT. Zero Install will place one (possibly identical) copy in ~/.cache/0install.net, which will be used by programs run through Zero Install. Having two copies may be inefficient, but nothing should break. > What do the others think? Should we have this in ubuntu? Please let me know if you have any other concerns. -- Dr Thomas Leonard http://rox.sourceforge.net GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1 -- Ubuntu-motu mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
