Software Distribution Current main concern: security One of the our current serious limitations is the lack of security, we do not have any integrity or authority technology in place for our packages, they are provided by several mirrors which can be potentially compromised. APT repositories already provide the expected level of security with PGP signed MD5 checksums. APT Adoption Requirements APT is a stable and widely used software distribution technology, however it has some limitations when applied to our specific distribution model that need to be resolved:
- Package Selectivity - The default configuration for APT on Ubuntu will drive the system to be upgraded with the newest version available on any of the configured repositories, this is not the recommended policy for getdeb packages. People should keep a clean official system, having detailed control on the unofficial (getdeb) packages that will be installed, a massive upgrade is not recommended.
- Solutions:
- Validate that the "APT" pinning options are sufficient to setup a policy which allows to keep getdeb previously installed packages always updated from the repositories, and new packages only installed per manual request.
Creation of /etc/apt/preferences with
Package: *
- Validate that the "APT" pinning options are sufficient to setup a policy which allows to keep getdeb previously installed packages always updated from the repositories, and new packages only installed per manual request.
Pin: origin local.getdeb.net
Pin-Priority: 400'
Package override to be applied before install at /etc/apt/preferencesPackage:
Package: avidemux
Pin: release a=feisty-getdeb
Pin-Priority: 991- Use an APT capable client supporting pin management as described above
The best candidate for this implementation seems to be GApti, which implements https://wiki.ubuntu.com/ThirdPartyApt
Dynamic Mirrors Selection - The very frequent package updates are most likely to cause mirrors out of synchronization, in order to support the "intelligent" mirrors selection the APT dynamic mirror selection needs to be used. This is a new feature which is not widely used and needs to be tested. PlannedTecnhology
There are a few projects to extend the current software distribution options, all of them are based on APT but use different approaches: https://launchpad.net/ubuntu/+spec/third-party-apt https://blueprints.launchpad.net/ubuntu/+spec/apt-firefox-archive-handler
Since most of this APT based methods are tied to the existing apt distribution methods and maintainers for which the development control is very strict it may be preferable to create a new simpler technology, that could meet both the security and single click goals, this will be described on a new page, SoftwareDistributionSystem .