What is Digg?216 Comments
- andycr512, on 04/07/2008, -2/+79This is a really nice tool; it seems to come preinstalled with the latest versions of Ubuntu. Here's a trick: In Firefox, click Bookmarks->Organize Bookmarks. Click New Bookmark. Under location, type "apt:%s" without the quotes. Under keyword, type "install" without the quotes. From then on, you can install software from inside Firefox by typing "install (package)", IE "install amarok".
- sirhomer, on 04/07/2008, -3/+70For the Windows users confused about this, this is a Windows-user centric analogy:
Suppose you wanted to install Thunderbird. So how to you this? You go to the the Mozilla website or some download website, search for a download link, download the software, run the installer, and finally use your software by finding in the start menu.
In Ubuntu you would type something like this:
apt://mozilla-thunderbird
Some messagebox will pop up along the lines of: "Do you wish to install Mozilla Thunderbird?"
That's all. With that one step, it actually downloads the software from the internet, runs the installer (silently), and installs the software. The software is downloaded from a secure repository with all the software peer reviewed, signed, and then checked for integrity when you install it, so you can be virtually assured it's not a virus. If this is not enough, the "metadata" (information about the program and how it was installed) for the package is then stored locally on your computer, and when an update to the software is detected, your system will automatically notify you and download the update. This is for anything installed on your machine, regardless if it's something like Thunderbird or OS files. There is no separate updater. One unified updater your all your applications.
I hope this helps. - BradHAWK, on 04/07/2008, -6/+48Pffft - some Windows software will install itself with no clicks or dialog boxes at all.
- andycr512, on 04/07/2008, -2/+34How do you exploit it? Anything supplied to "apt:" is checked in the apt package list. If such a package exists in the secure Ubuntu repositories, it offers to install it, requiring permission to do so. The worst that could happen is someone completely ignoring the message telling them what package it wanted to install and getting a verified secure piece of software installed that they didn't want.
- andycr512, on 04/07/2008, -2/+26It's not even comparable to .exe files. You have -nothing- even remotely close to this.
- Mohdoo, on 04/07/2008, -0/+20I have never seen so many Windows idiots get so owned by so many Linux users in one thread.
- 4DFX, on 04/07/2008, -6/+25So each distro is going to have its own click-to-install system now? That's very bad. We need a common way of doing it on every (or at least on most) distros.
- akkibaba, on 04/07/2008, -0/+18Wukillabee's advice to young people : Don't bother trying to read or understand articles before commenting. That takes up valuable time that you can better spend looking like a fool.
- TeacherOfHeroes, on 04/07/2008, -2/+20Harder than this?
- andycr512, on 04/07/2008, -7/+23Really? You can click a simple web link in Windows and have it download and install a given piece of software from over 10,000 choices from a verified-secure repository?
Please come back when you actually know what you're talking about. - geobay, on 04/07/2008, -1/+15For you and anyone out there who is thinking this is like ActiveX...
No. It's not even remotely the same thing as ActiveX. This doesn't introduce any new vulnerabilities, and doesn't make the system any less secure than it already is. If you were to modify the apt:url to a program not in the repos, it would just say "package not found" or something to that effect.
The apt:url doesn't download anything from anywhere...it just tell apt-get to search the repos and install the program if available. - mrsteveman1, on 04/07/2008, -1/+15It also can't be used to install software for which a repo is not currently installed on the users machine.
Make more sense next time please - T8erT0T, on 04/07/2008, -1/+15A righteous digg for a righteous tip.
- TeacherOfHeroes, on 04/07/2008, -0/+14Indeed, the windows equivalent of this would be if microsoft maintained a large collection of trusted 3rd party software on their website (no excluding the competition) all packaged in msi installer form, digitally signed them, and integrated a special url-handler into IE, so that whenever you wanted to help someone install something, all you had to do was give a special link to a trusted microsoft installer. eg msi://firefox
- Kasot, on 04/07/2008, -3/+17For the windows people: This means installing software on Linux is easier than installing extensions to FireFox. If you can find a link, that is. I'm sure there will pop up an online archive of software any day :)
- TeacherOfHeroes, on 04/07/2008, -1/+14From the article that you apparently didn't read:
"Now before everyone starts complaining of how “insecure” this is, consider this. All that is really being done is apt-get is being told what program to install. So a “malicious” blogger can’t install “harmful” software because it isn’t in your repositories. Apturl only works with programs in your repositories. If apt-get can’t install it, neither can Apturl! You can’t run commands using Apturl, so no worries of automatic disk formatting!" - antdude, on 04/07/2008, -0/+12Not to n00bs. How about your mom? Does she know command line?
- mazza558, on 04/07/2008, -1/+13See andycr512's comment above:
"How do you exploit it? Anything supplied to "apt:" is checked in the apt package list. If such a package exists in the secure Ubuntu repositories, it offers to install it, requiring permission to do so. The worst that could happen is someone completely ignoring the message telling them what package it wanted to install and getting a verified secure piece of software installed that they didn't want." - daftman, on 04/07/2008, -4/+15This is because Suse already uses a different installing system from Ubuntu. Yum
- daftman, on 04/07/2008, -1/+12this is for installing software that is in the current repository, not for adding a new repo.
- agentlame, on 04/07/2008, -1/+12For my Grandmother, it is. Grambuntu FTW.
- chmcarro, on 04/07/2008, -1/+12But how am i to tell it i to agree to the license agreement, install in a specific location, give it to all users, customize what portions to exclude, put a shortcut on my desktop, include it in my start menu, install weatherbug, install ie toolbars and search engines, open the readme, and run it when its done? Oh, and check for updates.
- andycr512, on 04/07/2008, -0/+11The point of it is not mainly to have users install software through typing apt://package; the main purpose is to have pages which give instructions and supply install links directly inside the page, where the page maintainer already knows what the right package name is. Example:
To set up the latest CVS version of Eclipse, you must have the Java SDK and the CVS client.
Java SDK : Install [ apt://sun-java5-jdk ]
CVS: Install [ apt://cvs ] - manitoba98xp, on 04/07/2008, -1/+12Great summary. The only thing I have to say is that apturl is more intended so that users can click links on other sites: end users may not know the package name (if they do, it's just as easy to run "apt-get install mozilla-thunderbird" themselves).
- Sairgem, on 04/07/2008, -2/+12If you need to manually search for dependencies in Ubuntu, you're doing it wrong. Are you trying to install from source?
- TeacherOfHeroes, on 04/07/2008, -1/+11apparently no one is going to bother reading the article before commenting...
"Now before everyone starts complaining of how “insecure” this is, consider this. All that is really being done is apt-get is being told what program to install. So a “malicious” blogger can’t install “harmful” software because it isn’t in your repositories. Apturl only works with programs in your repositories. If apt-get can’t install it, neither can Apturl! You can’t run commands using Apturl, so no worries of automatic disk formatting!" - Andytom, on 04/07/2008, -2/+12I think I saw this for openSUSE a while ago http://news.opensuse.org/2007/08/21/sneak-peeks-at ...
- andycr512, on 04/07/2008, -3/+13It can't be used to install software without prompting the user.
- srg13, on 04/07/2008, -0/+10Well, in a tutorial, instead of saying to open a terminal and apt-get install something, they could say "Click here to install something"
- TeacherOfHeroes, on 04/07/2008, -1/+11I'm not sure there are any rick-rolls in the ubuntu repos. This tool will only install software that is already in a package repository that your system has been configured to trust. In order to exploit this, you would have to find some way to make additions to /etc/apt/sources.list, which requires admin access, which makes the need for this exploit kind of redundant
- bratterscain, on 04/07/2008, -1/+11.exe is a prepared package. This is a series of automated, and preapproved steps.
- daftman, on 04/07/2008, -1/+11you miss out the: "The software is downloaded from a secure repository with all the software peer reviewed, signed, and then checked for integrity when you install it, so you can be virtually assured it's not a virus." part
you can't do this on windows - HonoredMule, on 04/07/2008, -0/+10This is insecure
"quote from article"
This is just like windows
RTFA: preschool-level explanation.
How will you stop malware?
How can there be malware to stop?
viruses!
reading comprehension!
...
I didn't enjoy reading the discussion of this article much, but I can take solace that at least there's idiot-educators in equal parts to idiots. It's a shame they are likely as incompetent at reading the rebuttals of their stupidity, as they are at reading the article itself. - geobay, on 04/07/2008, -1/+11All of you suggesting this will be used as an exploit have absolutely no understanding of how a package management system such as apt works.
If you can get your malware in to Ubuntu's repositories, then it could be installed via this method. Since that is obviously not going to happen, this introduces no vulnerabilities. - Stonekeeper, on 04/07/2008, -0/+10you forgot the reboot
- nickgs, on 04/07/2008, -2/+11Installing software using apt has been much easier then add/remove programs in Windows for some time. Looks like tools like this may take it the next level. I think us Linux guys have this presented pretty easy to the users by now. Now we need to make the software more usable AND compatible for it to be of any value to everyday PC users.
- srg13, on 04/07/2008, -0/+9New users would probably prefer to click a link and have it done for them
- sharris203, on 04/07/2008, -1/+10That's a good idea and all BUT how about i just type "apt:(package)" like default instead of "install (package)", which is more letters.
- benjiman, on 04/07/2008, -0/+9Actually the specification[0] used in openSUSE to enable this is significantly more flexible. It allows installation of packages anywhere, from any vendor. Which makes it useful for independent software vendors. It is also distribution independent, so vendors could make an install link that will work whether or not the user is using openSUSE or ubuntu or fedora. To enable this a client must be implemented for each distribution. Someone did make a proof of concept implementation for ubuntu[1]
There is an ubuntu specification being developed to do the same thing [2], but it is limited to ubuntu. Hopefully we can work together and use the same format. The ubuntu developers responsible for the specification seem amenable to this.
[0] http://en.opensuse.org/Standards/One_Click_Install
[1] http://video.google.co.uk/videoplay?docid=49431563 ...
[2] https://wiki.ubuntu.com/ThirdPartyApt - agentlame, on 04/07/2008, -0/+9Yes... No more then http:// link can.
ALL it does is tell your OS to apt-get "package" ... There is nothing about it that uses SITE supplied code. The only thing it can install are things in your approved, signed repos.
You would/will have better luck with a .deb, and a JavaScript exploit. - zwaldowski, on 04/07/2008, -1/+10No. Download >> Wait for download to finish >> Click Run >> Click Yes >> Click Next >> Check Agree >> Click Next >> Click Next >> Wait (again) >> Finish. Quicky, right?
- superyounan1, on 04/07/2008, -1/+9the difference is that the software is being downloaded from a centralized software repository, as opposed to a random hosting web server where the file is residing. That is all nothign new to apt users, but the difference is all the benefits of repositories are now being extended to simple links that windows users are used to, best of both worlds kind of thing.
Undeniably it is easy to install windows software, and many good programs now check for updates on their own, but that is not guaranteed and you have to be extra careful that the source of the software is a trusted one.
Basically the bottom line to the end user; its just as easy to download programs from their repository as it is to download a file from the internet, with no concerns about security. seems subtle, but can save people some big headaches and reduce learning curves - andycr512, on 04/07/2008, -1/+9Exactly, and not only does it only tell it to get trusted software, but it also asks the user first and has to get root authorization from the user.
- TeacherOfHeroes, on 04/07/2008, -1/+9All this is doing is handing off a package name to the package manager. Only repositories that come with Ubuntu (or those that you add yourself) are trusted. If the software isn't in the package lists, it can't be installed. Assuming that you don't go about adding 'deb http://www.gator.com/ubuntu gutsy' to your /etc/apt/sources.list file, you should be fine.
- agentlame, on 04/07/2008, -0/+8http://www.google.com/search?q=define%3A+satire&ie ...
- jett, on 04/07/2008, -1/+9not everyone is as comfortable in using a command line interface.
they could of course use Synaptic to do that but imagine how easy it would be for someone who was looking for an email client, do a search in Google, find the Thunderbird page and just click on a link to install that program. - jdmcadam, on 04/07/2008, -3/+11Digg me up.
- frogman54, on 04/07/2008, -1/+9That is getting old on Digg. You "digg me down" folks need to switch it up a little bit. Maybe try and confuse us. Like, "Digg me counterclockwise."
- MoeWasHere, on 04/07/2008, -2/+9LOL :
sudo apt-get install apturl
apturl is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
niiice ... and knowing is half the battle. - daftman, on 04/07/2008, -2/+9Err no. With windows, you download the file via browser through a website. With this you instruct the apt-get to download the file through Ubuntu's repository.
A file through a random website is untrusted and full of spyware. A file in the Ubuntu repository is signed, tested and free from virus.
the backend functionality is very different. The only thing that is similar is the User interaction.
It's like saying, a truck is exactly the same as a car because you both use a steering wheel. -
Show 51 - 100 of 215 discussions
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is