Blog

GPG Transitioning

Yay, I am doing the transitioning too. So w/o further ado, welcome my new GPG key:

pub   4096R/D8C44738 2009-06-06
      Key fingerprint = 3578 0981 A21D D662 2A96  7623 F4C1 838C D8C4 4738
uid                  Richard A. Johnson <nixternal@gmail.com>
uid                  Richard A. Johnson <rich@nixternal.com>
uid                  Richard A. Johnson <rjohnson@kde.org>
uid                  Richard A. Johnson <johnson.richie@att.net>
uid                  Richard A. Johnson <nixternal@ubuntu.com>
uid                  Richard A. Johnson <nixternal@kubuntu.org>
uid                  [jpeg image of size 12182]
sub   4096R/6B8A7765 2009-06-06

Yes, I even added my picture to the key, because it is even groovier that way.

And now say goodbye to my old key (well not yet, transitioning it out, so use the new key instead from now on):

pub   1024D/2E2C0124 2006-05-21
      Key fingerprint = 9554 2BCC 3AA2 3898 0939  56E7 3EC9 A39D 2E2C 0124
uid                  Richard A. Johnson <nixternal@ubuntu.com>
uid                  Richard A. Johnson <nixternal@kubuntu.org>
uid                  Richard A. Johnson <nixternal@gmail.com>
uid                  Richard A. Johnson <rich@nixternal.com>
uid                  Richard A. Johnson <johnson.richie@att.net>
uid                  Richard A. Johnson <rjohnson@kde.org>
sub   2048g/B9DDBD35 2006-05-21

So, if you have signed my key in the past, I wrote up one of those transitioning letters that are signed by both keys. You can download that HERE. You can also DOWNLOAD the public key if you really need it, or you can just do the following to get it:

gpg --keyserver keyserver.ubuntu.com --recv-key D8C44738

So if you feel safe enough, without having to go through my wallet to verify I do in fact own the new key, I would appreciate it if you would sign it, if not I understand, and the next time we are face-to-face, you are buying beer! ๐Ÿ™‚

Posted in Personal | Tagged | 2 Responses

Apt URL Part Two

OK, so after going through comments on my previous post about Apt URL it has become obvious to me. Apt URL is a band aid more than it is a way for people to easily distribute software. Is this a bad thing? No, not in my personal opinion. It seems the main arguments I received in the post, and especially on IRC (thanks to all of you who messaged me bitching me out, that rocks!) as as follows:

  1. Once Ubuntu is released, we aren’t getting new updates.
  2. Package so-and-so hasn’t been updated in 2 years
  3. This will allow software developers to get their software out to more people.

OK, so it is obvious why I call Apt URL a band aid, and points #1 and #2 show this. For point #1 it is obvious that Backports aren’t getting utilized as they probably should. Point #2 shows us that there are more merges on MoM than there are developers to handle that, and that there is a ton of software we aren’t paying attention to. This is something that has to be fixed, but has proven difficult for the past few years.

That brings me to point #3. In a comment in my last post, Skype was brought up, and how it isn’t in the Ubuntu repositories. Is there a reason that Skype can’t go into Multiverse or the Canonical repositories? Is there something I am missing when it comes to the non-free repositories? I will admit I do not follow them since I attempt to keep my system RMS happy :p

OK, so here is my other question, slash, problem. Security! I keep hearing about this “whitelist.” Am I to expect that people are going to go through the Core Developer process in order to get on this so-called whitelist? If you don’t do a process like this, well you just flat out disrespected every MOTU and Core Developer in our community. If you make them go through a process like this, then why can’t they be a MOTU or Core Developer in Ubuntu? This is my big issue really. If you don’t make them go through the process that every MOTU and Core Developer has done then you might as well spit in those people’s faces who have put their blood, sweat, and tears into gaining a certain level of trust. And if you do make them go through the same process, then what the heck, it makes no sense.

I am still looking for solid information on why this is good, and how it can be utilized for something other than a band aid. Martin Owens had my favorite comment on the previous post, about what kind of society do I think we live in and what not. Martin, we live in a society right now where people need protection more than anything. I am not talking about the old G-Dub terrorist protection plan, I am talking about those evil little kids in mommy and daddy’s basement using other people’s scripts to do damage. Linux, just like Windows and Mac, is as secure as its user. I think it is in Ubuntu’s best interest to protect the users as much as possible, but not to the point where we cut off their freedoms. If people want Apt URL, give it to them, but I think Ubuntu should make the same statement it did about Automatix years back.

If we want to make it easy for people to get the latest and greatest software, then we need to start working on fixing our infrastructure so we can do it correctly and safely. Since there is no single package manager to rule them all, Linux software distribution will continue to be a pain in the ass. Here is an idea. How about a mailing list or such, where upstream developers can announce new software, updated software, and what not? Everyone who wants to be a packager, look there and get to work? There has to be a way to have solid upstream <—> downstream communications, it is sounding like it isn’t happening to me.

Posted in Application, Linux | Tagged | 14 Responses

My thoughts about Apt URL

  • Everything you need comes on one CD
  • Ubuntu is designed with security in mind

Both of the above lines were taken from the What is Ubuntu? page on the Ubuntu website. If this is still true, then we don’t need Apt URL do we? If it isn’t true, and we do in fact need something like Apt URL, shouldn’t these 2 lines be removed from the website?

The need for Apt URL simply tells us that Ubuntu doesn’t have everything you need on one CD. In the AptURL Policy Discussion blueprint on Launchpad, Rick Spencer states the following:

It should be much easier than it is for developers to get their apps to users, and it should be much easier for users to install such software. PPAs is potentially a good way to do this. Finding PPAs and exchanging keys should be much easier.

I couldn’t agree more, and can see how AptURL might actually work for this. But. Of course there is a but, otherwise this post would be more useless than it probably already is. The developers of the software that must be easier to get, should probably communicate with the distributions a bit, let us know they have a new release they would like to get into Ubuntu or they have new software. If we can’t get the software into the current release or the next release, then a PPA is perfect for this. But instead of me, Martin Owens, or anyone else for that matter, publishing software to a personal PPA, why not have the teams do it instead? The Kubuntu Team has a PPA, and I know a lot of the other teams do as well. Why don’t these teams publish it into their PPAs? This way here we don’t have to worry about the whole trust thing. With it going into a team PPA, the chance of more eyes seeing it before it is released to the masses is higher than it would be if I were to package and upload to my PPA. Using Launchpad, put a Apt URL button, similar to the One-Click buttons that openSUSE uses, on the team’s PPA page, if we really need Apt URL that bad.

The whole security minded thing was added because I can’t think of one way to really make this whole Apt URL thing secure, can you? GPG keys won’t do it, creating some network of trust won’t do it? Look at the sites that allow developers of Mac OS X and Windows software to distribute their stuff, do you see “This person is in our web of trust”? No, what you might see is a list of comments, and after a product has enough comments, it can get that whole “Preferred Developer” type of tag added to their name. Kind of like Pirate Bay does with people who distribute stuff there. They use a skull and a color to represent people of trust or good faith, which is kind of odd. At first I saw the skull and thought, oh stay away from that one. Security will always be a bitch with Apt URL. I was looking to see what kind of policy openSUSE had with One-Click stuff and I couldn’t find anything. Did they realize it was a “Use at your own risk” type of deal instead of spending the past 2 or 3 development cycles trying to figure out a policy that just isn’t there?

The fact that it is considered not easy to add a 3rd party repository should speak volumes in itself. We want to protect our users any way we can, and Apt URL will prevent us from doing so, from what I have seen thus far, you could of course prove me wrong and I hope that happens, soon! If a user doesn’t understand how to add another repository, should they really be trying to add it all? What is the reason for them trying to add another repository?

Is it because:

  • The package isn’t available in Ubuntu?
  • The package is outdated in Ubuntu?
  • The package is broken in Ubuntu?

If you answered yes to any of these, then your excuse of using Apt URL is nothing more than a band aid for problems in Ubuntu. But the package isn’t available in Ubuntu. Did you or anyone else file a bug to get the package in Ubuntu? No? That is definitely a reason why it isn’t in there, but I can understand this. Maybe you don’t know how to file a bug, and if this is the case, then maybe we should spend time somewhere else instead of Apt URL so we can make that process even easier, because the ability to file a bug is far more important than the ability to add a 3rd party repository that is loaded with candy from a stranger. How about the bug is filed, but nobody is looking at it? That is a problem with Ubuntu, so maybe we should spend time on figuring out how to fix this? How about it is packaged and sitting in REVU which nobody has looked it since September or something? Yet another problem with Ubuntu, and something we need to spend time on. The list can continue and cover an outdated and/or broken package as well.

Are people pushing Apt URL as a band aid for Ubuntu? Will Apt URL really make it easier for software developers to push their products to the public? Fill me in, what am I missing? Why is Apt URL so important?

Addition: Wanted to also note, that I don’t think apt-url will fix the issue of getting the latest software out there or fixed software much better than it already is. If Ubuntu is experiencing problems that are causing this band aid to be created, then what are we doing to do in order to provide another band aid when the people running these “whitelisted” repositories start to dry up? If these people running these “whitelisted” repos can contribute to their own repo, why can’t they contribute to ours? Shouldn’t we be trying to recruit these people? Shouldn’t we be trying to hold on to the ones we have now?

Posted in Application, Linux | Tagged | 33 Responses
  • Archives

semidetached
semidetached
semidetached
semidetached