RFC: On-demand package installation API in kdelibs

Hans Meine hans_meine at gmx.net
Thu Jul 29 15:29:22 BST 2010

Hey Martin,

I clearly see you being opposed to what I believe would be a bad thing, but 
why do you assume the implementation to suck?  All your arguments do not hold 
with a good implementation!

On Thursday 29 July 2010 15:26:47 Martin Sandsmark wrote:
> You mention several usecases that should be improved (like using polkit for
> setting the lcock, so the user doesn't have to enter the password), but the
> point is to _minimize_ the number of dialogs the user has to click through
> and enter his/her password into, not keep adding them.

Exactly.  No point in discussing this.

> (We could also make a distinction between cases where the user manually
> lock something and need to unlock it, and randomly popping up dialogs
> because the distro suppies crippled packages.)

Everybody so far agreed that randomly popping up password dialogs are evil, so 
please stop bringing this up.

> This is still the result of the user explicitly doing something, as opposed
> to, for example, the mediaplayer just proceeding to the next track.

Of course, a mediaplayer should not try to have something installed when 
proceeding to another track.  OTOH, if you explicitly drop a number of files 
on the playlist, it would make sense to tell the user that these files are 
only supported with additional packages.  Then, if the user presses the "Sure, 
I understand, then please install that piece of software now" button, a 
package manager might eventually ask for a password (if no trusted source etc. 
is available).

Otherwise, unsupported files should simply be skipped.  But that would still 
be a bug in the media player, not in the proposed API.

> > first, or the packages need to be installed in a different way, so they
> > sadly can't be installed in a simple way :(. But you don't install those
> > every day either.
> Seriously, you want KDE to automatically download and install unverifiable
> packages from 3rd parties?

Of course not.  Nobody here would propose something stupid like that!

A distributor might decide to offer password-less installation from trusted 
sources, but could still offer a more verbose, "are-you-really-sure?"-path for 
installing from 3rd-party sources.  One does not preclude the other, does it?

> And if this is something you don't do every day either, why can't we have a
> slightly more cumbersome but much more secure and sane solution, ilke what
> Sune proposed, instead?

We can.  The point is that it would be up to distributors/packages to decide, 
which will also depend on the target audience.

> > But anyway, many people agree, some people disagree, and there doesn't
> > seem to be a middle ground. Since the default will be disabled and
> > enabling
> > will require special effort from the packager, I will work on a suitable
> > implementation for submitting. Those that don't like it can just leave
> > it as it is (or add an "Are you stupid?" dialog first where only
> > declining will prove the user worthy of the feature, for all I care).
> If you just ignore the feedback, what was the point of the RFC?

The feedback is not ignored AFAICT, but the point is to
- offer an API to prevent (or even reduce existing) code duplication, and
- offer an entry point for distributors to hook into their package managing 

As I see it, the API makes three solutions possible:
a) Simple dialogs instructing the user to install something (which would 
obviously be the default for people compiling from unpatched sources, at least 
for now).
b) The same, but including a way to directly open package managers with the 
desired packages/options being preselected.  (Easier and faster to use, no 
security thread here, is there?)
c) A more automated procedure with simple confirmation dialogs.

You might be against c) (and I can see why), but please don't confuse that 
with the introduction of a common API to make unified solutions possible.

I see this as a worthwile goal, exactly the goal of KDE: To have reusable 
pieces of software needed in many GUI apps, which also make applications look 
and behave more alike, and thus improve the user experience.


More information about the kde-core-devel mailing list