CCing debian-dpkg for obvious reasons. On Thu, 2008-05-29 at 14:18 +0200, Stefano Zacchiroli wrote: > On Thu, May 29, 2008 at 01:24:59PM +0200, Marc 'HE' Brockschmidt wrote: > > The probably easiest way would be to make apt whine on all packages > > that are not available in any version at one of the locations > > specified in sources.list. This trivial solution sucks, because > > locally created packages [1] also fall in this category. > > Thinking at why this solutions sucks (it does), it occurred to me that > the reason is we don't have a ready to use easy way to let our users > install packages "properly", that is: only via entries in sources.list. > This is way they^W are using "dpkg -i".
Using `dpkg -i` really is insane as far as security is concerned : people install Acrobat, Opera, Flashplayer, w32codecs and others manually, then simply forget about it. I know that's exactly what people do in some proprietary operating system but still, that's insane. I suggest to modify dpkg so it refuse to install package, unless the option "--insecure" is specified. Such option's manpage description would be : > dpkg --install --insecure package_file... > The option --insecure is now mandatory to install a ".deb" package. > > Installing a ".deb" file manually is considered a bad practice (i.e > insecure), because the package wouldn't be updated when the maintainer > release a security update. > > Instead of downloading and installing a .deb file, you should declare > it's apt repository. This is done by adding the package's repository > to /etc/apt/sources.list or /etc/apt/sources.list.d/. See > sources.list(5). * This option would be an effective solution to educate new users. * For the same reason, we should remove gdebi's "Install" button. I suggest Proposed manpage improvement for this option : Franklin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
