LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Autopackage 1.0

Autopackage 1.0

Posted Apr 1, 2005 4:15 UTC (Fri) by mcatkins (guest, #4270)
Parent article: Autopackage 1.0

I'm surprised more people aren't worried by the fact that an autopackage
is an executable!!! What a wonderful vector for a virus!

We've almost convincing the windows people that running downloaded files
without looking at them very carefully is not too clever, and here someone
is suggesting the same for Linux!

What I'd like to see is:
1) a package format that is *not* executable
2) force the user to manually download, and install the autopackage
installer first. Better yet, why not put the autopackage installer into
the standard distributions, so after a while, everyone already has it?
3) Change the installation process of a package so that the first step
is to create a .deb/.rpm/etc suitable for the local system, from the
data in the autopackage, and then install that.
This way, autopackage files play well with whatever local
package management system is being used.

And doesn't alien already do most of the hard work? Or at least,
is a starting place.

1 is pretty-much non-negotiable, before I would use autopackage

(Log in to post comments)

Autopackage 1.0

Posted Apr 1, 2005 6:41 UTC (Fri) by khim (subscriber, #9252) [Link]

If you'll think about it it's minor nitpick. I mean: sure enough .rpm or .deb is not executable. Yet both have pre- and post- install scripts. Isn't it the same thing ?

As far as our packages can contain random code we can not be sure that "net-downloaded random package" will keep system unbroken. So neither rpm nor deb and of course not ebuild are suitable for such approach. Not really. Yet Autopackage makes problem worse, not better! This is my grief. This is not a packaging system - this is installer like InstallShit^H^H^H^HAnywhere plus packaging system (and later part is poorly made, BTW).

Autopackage 1.0

Posted Apr 1, 2005 7:10 UTC (Fri) by mcatkins (guest, #4270) [Link]

Thinking about it some more, you are probably right. I was thinking
that at least the package integrity, etc was checked before getting
to that point. But you're right - this doesn't really give you much.

I would maintain, however, that we shouldn't be encouraging people
to get into the habit of download+run (without putting on thinking hat).

Download+feed_to_some_program at least leaves open the possibility
that some checks occur, or could be added in the future, and thus is
a better habit to encourage - IMHO.

There is no replacement for "trusting" (to some extent) the source
of your packages!

My other comments still stand....

Autopackage 1.0

Posted Apr 1, 2005 10:37 UTC (Fri) by ballombe (subscriber, #9523) [Link]

> If you'll think about it it's minor nitpick. I mean: sure enough .rpm or .deb is not executable. Yet both have pre- and post- install scripts. Isn't it the same thing ?

No it is not. With .deb and .rpm, you can inspect the pre- and post- install scripts before deciding to install the package. You can also decide to extract the data without running the scripts.

You cannot do that in a documented way with the current autopackage format.

Autopackage 1.0

Posted Apr 2, 2005 20:11 UTC (Sat) by khim (subscriber, #9252) [Link]

And why the hell no ? It's just a script! Exactly like pre- or post- install scripts in .deb/.rpm! Sure if you'll find .rpm with pre- or post- install script 100Kb in size you'll probably skip this package (it's scary: what this #&*!^@&*#@ thing will do with my system?), but... difference is in quantity, not in size.

Basically: .rpm/.deb can be disastrous beasts, .package is always disastrous beast. First choice is better then second one, though not by very much.

Autopackage 1.0

Posted Apr 7, 2005 13:08 UTC (Thu) by mikehearn (guest, #29106) [Link]

Sure you can. The -d switch is documented and stable, it won't disappear anytime soon. It means running code, but it's all "in the clear" and you can read it first if you think it may be dangerous.

The -d switch puts the package into "debug" mode: it extracts the payload and the metadata into the temporary working directory, then dumps you into a shell so you can explore or edit the internals. At that point, all the scripts are available for your perusal.

Autopackage 1.0

Posted Dec 27, 2005 17:54 UTC (Tue) by dontunderstand (guest, #34777) [Link]

He Guys you really disappoint me... why not use the concept of softricity but now for Linux... That is the real sandbox idea, and easy to update, safe ... , using streaming

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds