ubuntu-phone team mailing list archive

[Zoltán Balogh <zoltan.balogh@xxxxxxxxxxxxx>]

On 04/09/2013 11:36 PM, Robert Bruce Park wrote:
> On Tue, Apr 09, 2013 at 11:01:02AM -0400, Barry Warsaw wrote:
> > On Apr 09, 2013, at 12:37 PM, Ma Xiaojun wrote:
> > > I guess we should not require painful DEB packaging any more, or we
> > > wrapper it nicely.
> > It's certainly true that learning how to package for Debian/Ubuntu is a big
> > hurdle for developers.  It seemed a big mystery to me when I started to learn
> > how to do it.  Now that I know how to package and have helped others get
> > started, I'm even more convinced that it's too high of a hurdle to require of
> > developers.
> >
> > Learning how to package the Debian way is worth the investment if you are an
> > Ubuntu and/or Debian developer (e.g. a core-dev, PPU, or DD), but IMO it's too
> > much if you just want to build apps for the platform.
> Personally, i think the idea of a centrally curated archive that
> contains "all possible apps" is a bit mad. Compare to Google Play
> store and Apple App Store... sure those companies are hosting those
> apps centrally, but they do not have a review process for submission,
> nor onerous packaging guidelines that must be strictly adhered to.
>
> Before I was hired by Canonical, I was developing a GNOME app, and I
> had hoped to have it included in Ubuntu universe... but now that I am
> working here and doing packaging work for a living, I have just about
> zero desire to include my app in the distro. The PPA is 'good enough'
> and people who want my app can get the PPA.
>
> I think we should probably look into streamlining the PPA-related
> tools, like have some kind of browser integration so you can click a
> link in firefox and make it enable a PPA for you, and then also have
> some kind of graphical tool for using ppa-purge to uninstall. This way
> app developers can make their own minimal PPAs with minimal packaging
> boilerplate, skip right past all the ARB overhead, and still be easily
> installed by users.
>
> Perhaps for security reasons it might be necessary to create a new
> kind of reduced-rights PPA so that PPAs can only provide new software
> (take away the ability of the PPA to overwrite system components with
> potentially-harmful components), but I'm not sure how to do such a
> thing.


There are two fundamental problems with PPAs. The number one you too 
name. It is the security... enabling a PPA opens a security whole as the 
owner of the PPA can push updates to any package and any file in the system.

The other is performance. Enabling 10-20 PPAs will make the update 
process very slow.

bzoltan