Ubuntu
ubuntukylin-default-settings package

ubuntukylin-default-settings injects third-party repo

Bug #1914266 reported by Rolf Leggewie
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntukylin-default-settings (Ubuntu)
New
Undecided
Unassigned

Bug Description

I was shocked to find out that a package in Ubuntu installs a sources.list snippet to point to a third-party repo. So far, I've always had to specifically enable any such third-party repo (Skype, etc.), so I was well aware of what was going on. That there is a package in universe allowed to sneak stuff in behind my back like that without at the very least a BIG FAT WARNING is untenable.

I have read https://lists.ubuntu.com/archives/technical-board/2014-April/001858.html and following BTW. I understood that to be about discussing the requirements to set up a separate, Ubuntu-sanctioned distribution channel supposedly for IP-related reasons. I'm fine with that. I'm absolutely not fine with a third-party repo being enabled automatically behind my back.

$ cat /etc/apt/sources.list.d/ubuntukylin.list
deb http://archive.ubuntukylin.com:10006/ubuntukylin focal main

$ sudo dpkg -S /etc/apt/sources.list.d/ubuntukylin.list
ubuntukylin-default-settings: /etc/apt/sources.list.d/ubuntukylin.list

$ apt policy ubuntukylin-default-settings
ubuntukylin-default-settings:
  Installed: 20.04.2
  Candidate: 20.04.2
  Version table:
 *** 20.04.2 500
        500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
        100 /var/lib/dpkg/status

See original description
Revision history for this message
Rolf Leggewie (r0lf) wrote :

I'd have no problem with the snippet being added, but disabled by default and a warning to the admin that he/she needs to enable it to get the full benefit or something. But this "tada, surprise" is an obvious no-no.

description: updated
description: updated
Revision history for this message
Rolf Leggewie (r0lf) wrote :

As far as I can see, the proper way to achieve what is being attempted here is to use debconf to bring up that prompt I spoke about in #1 or bring that part of enabling the repo into the installer when the OS is installed for the first time. A package in universe is definitely the wrong place for that both from a technical POV (the repo is actually not necessary at all for the software I have installed) as well as from a policy POV.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.