RFC: On-demand package installation API in kdelibs

Martin Sandsmark martin.sandsmark at kde.org
Thu Jul 29 16:44:23 BST 2010

On Thu, Jul 29, 2010 at 04:12:53PM +0200, Lubos Lunak wrote:
>  So? If you're fine with polkit for the clock, you should be fine with polkit 
> for installing trusted packages too.

You don't see the difference between allowing the user to change the clock
without asking for confirmation, and installing unauthenticated, arbitrary
packages from arbitrary sources without confirmation?

>  Which is not the usual case. The usual case is also a result of the user 
> explicitly doing something.

Could you please enlighten me to the usual case, if not the application
trying to use this functionality? If you intend to just install all the extra
dependencies once on the first run of the application, why not add them as
normal (or optional) dependencies to the application?

>  Of course not. The useful feature is the excuse.

It is still just an excuse. But if you think training users to click through
and entering their passwords, as well as moving legal liability over to KDE,
is worth it for band-aiding over distributions crippling their multimedia
packages, I can't argue with you, only disagree.

> > >  No. They are in additional 3rd party repositories which need to be added
> > > first, or the packages need to be installed in a different way, so they
> > > sadly can't be installed in a simple way :(. But you don't install those
> > > every day either.
> > Seriously, you want KDE to automatically download and install unverifiable
> > packages from 3rd parties?
>  No. Did I say that? Let see. No, I didn't.

1.: You proposed this API to automatically install extra multimedia packages
    when missing.
2.: These multimedia packages are not available in the official, verifiable

So yes, you did. Unless you mean the distributions somehow can verify the
packages, in which case I don't have a problem with this.

> - Because we already do have it, today. Just check the dialog or notification 
> next time something complains you don't have something installed. And nothing 
> stops you, you can have it cumbersome forever if you want.

I don't get that dialog, I have a package manager that handles this at
installation time. :-)

> - Because I doubt it's more secure and it's definitely not more sane.

I'm sorry, a perfect implementation will of course be secure, what I meant
was that it would be bad from a security perspective (training users to click
through etc.).

> - Because most people prefer computers doing the work for them, and not doing 
> work for computers.


>  I'm not ignoring the feedback, I wouldn't be bothered with writing this mail 
> otherwise. Also, not ignoring the feedback means also not ignoring all those 
> people who say your concerns don't matter much in practice and who outnumber 
> you.

OK, and sorry if I am very stubborn and rude.

Noone has yet met my criticism, though (without being incoherent from
sentence to sentence).

Martin Sandsmark 

More information about the kde-core-devel mailing list