Activating -proposed should need a confirmation with a proper warning

Bug #254584 reported by Henning Moll
114
This bug affects 22 people
Affects Status Importance Assigned to Milestone
software-properties (Ubuntu)
Fix Released
Wishlist
Sebastien Bacher
Xenial
Fix Released
Wishlist
Sebastien Bacher

Bug Description

The GUI is mainly intended for use by normal users. Using the proposed repository may cause problems and is therefore not recommended for the broad mayority of users. The normal user should not be able to activate this repository by just a single click.

We need a proper warning, explaining what -proposed is, requiring confirmation by the user.

For example:

"Proposed is intended for people willing to test updates before the reach a wider audience. Are you sure you want to activate -proposed?"

<https://wiki.ubuntu.com/SoftwareUpdates#settings>: "The “When checking for updates, check for:” menu should contain options for “All updates” (the default, -security + -updates + -backports), “Security and recommended updates” (-security + -updates), and “Security updates only” (-security) (fixing bug 887079). If your current update config does not match one of those three options (for example, if you have opted in to -proposed), there should be a fourth, checked, option: “Custom”, and this option should persist until you close System Settings. (UI for configuring -proposed should be provided by the Ubuntu Contributor Console.)"

Related branches

Revision history for this message
Papamatti2 (papamatti2) wrote :

If you activate the proposed repository there should be a hint/message that installing proposed packages could be dangerous and damage your system!

I confirm that this message is absolutely nessesary!

Revision history for this message
Henning Moll (drscott) wrote :

In my opinion, the message is a minimum requirement. Far better solution would be the removal of that option. Proposed packages should be added manually.

Revision history for this message
enolive (enolive) wrote :

+1 for this

If someone really wants to test proposed package, he should be smart enough to manually edit apt sources.list. At least rename the text for this repository to something more scary.

The name of the repository is misleading. Activated it by mistake and had to resolve some nasty dependencies to get rid of the proposed packages.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

affects: software-properties → software-properties (Ubuntu)
Changed in software-properties (Ubuntu):
status: New → Confirmed
affects: software-center → software-center (Ubuntu)
Changed in software-center (Ubuntu):
status: New → Confirmed
description: updated
Changed in software-properties (Ubuntu):
status: New → Triaged
Changed in software-center (Ubuntu):
status: New → Invalid
summary: - It should be harder/impossible to activate the proposed repository
+ Too easy to activate the proposed repository
Changed in software-properties (Ubuntu):
importance: Undecided → Low
Revision history for this message
Steve Langasek (vorlon) wrote : Re: Too easy to activate the proposed repository

The SRU process depends on us being able to get bug fixes tested by the users that are affected by the bugs. In support of this, we have been working towards making it as safe as possible for users to enable -proposed and only install the packages they select. Removing the UI for enabling -proposed at all would be at cross-purposes to this.

Revision history for this message
sem (semitones) wrote : Re: [Bug 254584] Re: Too easy to activate the proposed repository

I think entering a command into terminal is just as safe, and wouldn't have
people clicking it by accident. If how would users know they need to enable
-proposed without being able to look up how to do it? Or if there were a
popup or warning about -proposed, it would deter more people.

On Wed, Jun 12, 2013 at 6:05 PM, Steve Langasek <
<email address hidden>> wrote:

> The SRU process depends on us being able to get bug fixes tested by the
> users that are affected by the bugs. In support of this, we have been
> working towards making it as safe as possible for users to enable
> -proposed and only install the packages they select. Removing the UI
> for enabling -proposed at all would be at cross-purposes to this.
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (299682).
> https://bugs.launchpad.net/bugs/254584
>
> Title:
> Too easy to activate the proposed repository
>
> Status in “software-center” package in Ubuntu:
> Invalid
> Status in “software-properties” package in Ubuntu:
> Triaged
>
> Bug description:
> The GUI is mainly intended for use by normal users. Using the proposed
> repository may cause problems and is therefore not recommended for the
> broad mayority of users. The normal user should not be able to
> activate this repository by just a single click.
>
> Please remove that possibility or at least provide a
> warning/information about the consequences.
>
> <https://wiki.ubuntu.com/SoftwareUpdates#settings>: "The “When
> checking for updates, check for:” menu should contain options for “All
> updates” (the default, -security + -updates + -backports), “Security
> and recommended updates” (-security + -updates), and “Security updates
> only” (-security) (fixing bug 887079). If your current update config
> does not match one of those three options (for example, if you have
> opted in to -proposed), there should be a fourth, checked, option:
> “Custom”, and this option should persist until you close System
> Settings. (UI for configuring -proposed should be provided by the
> Ubuntu Contributor Console.)"
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/software-center/+bug/254584/+subscriptions
>

Revision history for this message
Matthew Paul Thomas (mpt) wrote : Re: Too easy to activate the proposed repository

And as far as I know, Ubuntu ships no UI for users to "only install the packages they select" even once they have turned on -proposed. Software Updater could, but even if so, they'd be buried amongst non-"-proposed" updates. That's why I designed the Contributor Console "Updates" tab to show -proposed updates, *only* those, and to let you turn on -proposed as well. <https://wiki.ubuntu.com/ContributorConsole#updates>

Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

Now that proposed is used for automatic testing in the development release, it is not meant for humans. Maybe it's time to hide this, at least on Ubuntu+1. We could use python-distro-info to check if the currently running release is Ubuntu+1. If so, we can gray out or hide the field completely.

Ara Pulido (ara)
summary: - Too easy to activate the proposed repository
+ Activating -proposed should need a confirmation with a proper warning
description: updated
Changed in software-properties (Ubuntu):
importance: Low → Wishlist
assignee: nobody → Will Cooke (willcooke)
no longer affects: software-center (Ubuntu)
no longer affects: software-center (Ubuntu Xenial)
Revision history for this message
Ara Pulido (ara) wrote :

I think that a confirmation is needed, to make sure that the people activating it know what they are doing.

Something like:

"Proposed is intended for people willing to test updates before the reach a wider audience. Are you sure you want to activate -proposed?"

description: updated
tags: added: rls-x-incoming
Will Cooke (willcooke)
tags: removed: rls-x-incoming
Changed in software-properties (Ubuntu Xenial):
assignee: Will Cooke (willcooke) → Sebastien Bacher (seb128)
Revision history for this message
Sebastien Bacher (seb128) wrote :

software-properties (0.96.18) xenial; urgency=medium

  * Create a new tab for developer options and move the proposed source to it.
    Since those updates can create issues they shouldn't be too easy to enable
    nor listed with the standard recommended sources.

Changed in software-properties (Ubuntu Xenial):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.