Integration script prompt leads to untrusted download

Status changed to 'Confirmed' because the bug affects multiple users.

Apparently a lot of people do not get this. I do though, and I note that the packages are coming from universe. So I'm not sure what the beef could be.

mvo thinks this is because I have packagekit installed, and firefox is preferring that over aptdaemon. packagekit doesn't have the whitelist for webapps that aptdaemon does, so it makes sense that it would prompt for a password, but that doesn't yet explain why the warning mentions that it is not a trusted source.

I also have packagekit installed, so that could indeed be the cause.

If this is the case, someone would need to implement this in PackageKit's Aptcc backend to make it work... Why do you need that whitelist anyway, it looks like a very weird idea to me... Is there a spec page about this feature?

I'm not sure about a spec page. But the whitelist is just for a smoother experience. As I recall, aptdaemon whitelists packages from universe that match a webapps regex. Because it's a feature of Ubuntu out of the box, it makes it more seamless.

But there are two issues here. One is that it's asking for a password at all (the whitelist request) and the other is that it's suggesting a package from universe is not from a trusted source.

Exactly.... And to be honest, I dislike that feature if it is implemented that way... Why do I have to install packages for *web*-apps anyway? And if they are trusted, wouldn't it make more sense to add them directly to main?
Also, a whitelist is not very flexible...

Hello Matthias, Therry and Aaron,

Mvo is right: If packagekit is installed next to aptdaemon on the same system it will be preferred when performing a packagekit action. That is a feature since aptdaemon is the default and if an user decided to install packagekit he/she seems to wants to use it.

Canonical (Mvo) provided a branch which was now merged into aptdaemon and which allows to install highly trusted packages without the need for any authentication by the desktop user. It is the decision of the distribution which packages from which repo are regarded highly trusted. This can be confgured by dropping a small configuration file. To be honest I am not a big fan of this feature neither, but it seems to be a requirement by Ubuntu.

As a side node: Some time ago PackageKit even allowed a desktop user to install any trusted software without any authentication - but this was regarded as a security issue by large parts of the Fedora community. And so it was reverted.

AFAIK the implementation of this feature in PackageKit would require some re-designing of the PackageKit internals since the daemon asks for the authentication before moving the (trans)action to the backend which is aware of the highly trusted packages. The transaction needs to be simulated before to know if any highly trusted packages are affected.

Cheers,

Sebastian