Some of you may have seen some recent posts around the Ubuntu Planet about the new AptURL project that is default in Ubuntu 7.10 “Gutsy”. I wanted to make a few comments about it myself after tinkering with it a little. I think the project and idea is pretty cool and I hope it sees some more use.
I may be updating my blog in the future to take advantage of AptURL. I suppose to maintain backwards compatibility I’ll need to use both, but we may begin seeing tutorials along these lines:
Example…
Installing non-free codec pack
sudo aptitude install ubuntu-restricted-extras
For those using Ubuntu 7.10 you should be able to simply click the link and the package should prompt for installation. If it does not try installing the apturl package. Those still using previous versions will still need to type the command on the command line.
Does anyone have any thoughts on seeing this on the blog moving forward? Good? Bad? Indifferent? I think it may make some tutorials a bit simpler for some users.
Sorry, that was just for the “generic” tutorial, but specifically for aptURL: Yes, why not, but please try to use both ways as long as possible, especially on non-Ubuntu-only topics so that Debian users can also profit from it!
This is a neat idea but doesn’t it open up the potential for malicious activity? For example, someone searching for how to install multimedia codecs could find a page that purports to install them but instead the link installs a key logger or root kit. Granted, such packages would not likely be in the repos so there is still a layer of protection but how long will it be before bogus repos could be added (maybe that can already be done) or simply use social engineering to convince the user that the new repos are needed. The more new users we see, the more likely they are to click, click, click to install the tools they want and the more susceptible they will be. I’m not saying it’s a bad idea, I’m just wondering about the potential for abuse.
Well, I have to say it is a wonderful idea – just one little rant: why don’t you have made it function for konqueror and kde also? If I click on the link in konqueror a new apt:/ tab will open, no prompting for installation.
If you could bring this to KDE also it would be wonderful…a bit of a shame KDE generally has to wait one distro more than GNOME for these things (see restricted-manager) :'(
Jim – the only way I know of for this to be a security problem is to tell the users in the tutorial to add third-party repositories. As I understand the functionality the apt: link will search the currently configured repositories on the machine and search for the package. There really is no way for me to spoof the package. I think this is actually *more* secure than me directly linking to a package, which I *can* spoof or alter. This ensures that the package is coming from *your* configured repositories and no place else.
I think we will see something similar to what you now see with OpenSUSE’s one-click install. Just an image saying “install for Ubuntu 7.10”. Most packages are made for a single version of Ubuntu anyway.
@Jim: I had the same concerns about spoofing users when I saw this and I still do. Users are going to be used to just clicking links to install stuff. Well what happens when someone links directly to a .deb with some malicious purpose? Currently, non-tech-savvy users feel like something is wrong because they aren’t used to installing external .debs. But if they are accustom to clicking links, these mental red flags wont be going off and then we have the same problem Windows has. Basically, a huge downside I see is that now we are requiring users to understand different trust levels. Before, there was really only the repo and that was it. No understanding of trust was needed.
It’s a nice idea but I think that it’s use will be mostly limited to new users. Since only the already configured repositories are used, apt-url is a great way to help people satisfy their early needs.
But soon they will look for things that are not in the official repositories (codecs, newer versions of certain applications etc). This is where the not so good old way of installing debs or adding third party repositories returns.
openSUSE goes farther by allowing it’s one-click install to set up the new repository and immediately download the desired software. Therefore it’s definitely less secure than apt-url but at least it is a solution for the (rather common) problem of having to add new repositories or download single debs.
Hmm, doesn’t work for me. I’m running 7.10, and testing this on Firefox.
i use apturl to write my tutorial on my (french) blog and everyone seems to be happy to use it :
http://yeknan.free.fr/blog/index.php?2007/10/03/190-logiciels-sous-ubuntu-710-gutsy-gibbon
http://yeknan.free.fr/blog/index.php?2007/10/03/189-jeux-sous-ubuntu-710-gutsy-gibbon
Pingback: rapidoda » Blog Archive » AptURL : Web Based Package Installation
Why was this not installed as a gconf protocol!!!! Using just firefox is very limiting… what about rss reed readers!!!
I think that is a great idea! I often email links to blog postings to less-Linux-savvy friends (but fellow Ubuntu users). It would be quite handy to aid their implementation.
Having links that add repositories is the next step. Such a feature should probably not be enabled by default, but it should be there for power users.
Using something like this under maemo (Nokia N800), and it is quite useful.
I don’t see how this is a security risk. Right now, if people click on a .deb, it’ll open it up and offer to install it in gdebi. If you click on this, it’ll get it from your repos. The fact is, if you have poisoned items in your repos already.. then the trouble isn’t from a website using apt-url.. the trouble has already happened.
What?
sudo aptitude install this-blog!
better 🙂
Pingback: Apturl « EsUbuntu
This is great, I’ll make sure that I link like that for any packages I refer to from my blog. This seems like a win-win. The more links non-Ubuntu users see to Ubuntu packages, the more they will be attracted towards trying them out, the bigger the userbase!
Great, I’d like to see more sites using this.
The only things that I don’t like with apt-url are: a) it doesn’t work on Liferea; and b) when it asks if you want to install the package, there is no option to see a description of the package.
Pingback: rapidoda » Blog Archive » Comment on AptURL : Web Based Package Installation by Marius Scurtescu
Pingback: rapidoda » Blog Archive » Comment on AptURL : Web Based Package Installation by jh
If any of you are wanting this for KDE/Konqueror, go to Tonio’s personal package archive and download his kio slave for apt.
http://ppa.launchpad.net/tonio/ubuntu
Sorry, this is the link:
http://igordevlog.blogspot.com/2007/10/dear-lazy-web-i-need-html-button.html
I’ll second Luca’s “rant” about it not being KDE friendly. Sounds like a great tool, but it comes with too much Gnome-specific baggage for me.
I hope you appreciate the irony in the: “apt:apturl” link 🙂
This is good idea.
http://conceptualcaves.com/goodies/aptthis/
Your example won't work if the user has not enabled the universe and the multiverse repositories.
But this will:
apt:ubuntu-restricted-extras?section=universe?section=multiverse
It also enables those repositories.