[conspire] Autodowload a Virus

Nick Moffitt nick at zork.net
Wed Jan 6 01:40:31 PST 2010


Rick Moen:
> Quoting Don Marti (dmarti at zgp.org):
> > There's also a UI design problem.  If a user clicks
> > on a web link, you don't want something like:
> >   Open "http://downloads.rat-bag.com/spyware/pwn.deb"
> >   with "Nifty GUI Package Installer?"
> 
> Now, that's a really, really good point.
> 
> Come to think of it, I'm not actually clear on what the user
> experience looks like, in any recent Ubuntu release, when you fetch
> and then double-click on a .deb file in GNOME's file-management
> thingie (Nautilus?).  Maybe an Ubuntista would care to comment.
> (Thanks!)

In current Ubuntu, clicking on a link to a .deb launches "gdebi".
You're asked (by Firefox) if you want to do this, to save the file or to
cancel (and I believe "save" is the default here).

The gdebi program will open with a pane displaying the description of
the package, and an "Install" button on the upper right.  The tool is
very grey and plain, although fatal errors show up as red on the Status
line at top.

Here's a screenshot of me opening a package I built for my VPS:

	http://zork.net/~nick/screenshots/gdebi.png 

I believe that unsigned packages get a stern warning as well, but the
whole application could do with a dose of UI re-tooling to make the
smart options clearer and the dumb options glaringly obvious.

Focus for Ubuntu lately has been on the "Ubuntu Software Centre" which
is really just a slick replacement for Synaptic (and is so much easier
to use for the common case of "I want that program... crap,
python-gubble was it?  I'll just search for gubble".  I've begun to find
it faster for me than the cycle of apt-cache search/apt-cache
show/apt-get install.

The thing to do, really, would be to file a UI bug about gdebi under the
"papercuts" project on launchpad.net:

	https://launchpad.net/hundredpapercuts

It strikes me that something comparable to the "No, don't just hit Y,
actually type the word 'Yes' with a capital 'Y'" inputs used by gnupg et
al would be helpful.  See also the old
--iacknowledgethatthistoolisnotabenchmark option to glxgears.  Force the
user to type in some sort of localized string that says "I know this is
a terrible idea but I'm going to do it anyway"

-- 
"Ill-informed qmail-bashing is better than no
qmail-bashing at all."
        --Don Marti




More information about the conspire mailing list