Support installing local deb packages #1407
Comments
We can use |
|
@soumyaDghosh , what is
|
Eddy is probably not in the repo. |
|
I hope this is fixed soon. I love the look of the new snap store, but the Steam snap doesn't work with my Nvidia card yet. So I have been going to Steam website to get the deb to install. I installed gdebi to install the deb packages I needed. Thanks for your hard work in making Ubuntu better and better. |
|
In my opinion, it is absolutely essential that this problem is fixed for the next version of Ubuntu, in fact, I really think that the current version of Ubuntu should have the new store without this problem. The most common thing is that a new user, to install Google Chrome for example, goes to the official website, downloads the binary and double-clicks to install. When he notices that it doesn't work he will be completely lost... As Ubuntu is considered one of the most important distros for new users, it is very important that this problem is resolved. |
|
As an inspiration the previous incarnation of this app here had local deb side loading (it is still in the preview/edge channel to try) https://github.com/ubuntu/app-center/blob/archive/main/lib/app/package_installer/package_installer_page.dart 🤷 Bildschirmaufnahme.2023-12-24.um.14.36.50.mov |
Agreed 100% - this is a core feature that shouldn't require the command line or other tools. Previous versions of the store allowed it to work seamlessly |
|
Here is how it worked in the community driven app-center some months ago: Bildschirmaufzeichnung.vom.2024-01-05.16-49-56.webm |
|
Is there any update on this yet? 24.04 is supposed to launch this thursday |
|
Unfortunately we didn't have the capacity to work on this for 24.04, but it will be a priority for the next cycle! |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment has been minimized.
This comment has been minimized.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Okay everyone, as the creator of this project here, here is a warning: Warning Keep the off-topic and meta critique out of this github ticket! If you want to give feedback, positive or negative, or want to make comments that are unrelated to the pure development of this application here, please do this on https://discourse.ubuntu.com/ Please keep in mind that we are all humans. |
|
Speaking as the APT maintainer, let me outline a different path forward on the road to 26.04: In 23.10, we enabled .sources files for PPAs, in 24.04 we enabled .sources files for the main Ubuntu repositories too. My goal is to build on this foundation and provide an easy way to add 3rd-party repositories rather than packages, by extending the .sources format with some templating (so you can say "${OS_UBUNTU_CODENAME}" for example), and a field for listing packages to install. Then 3rd party deb providers can ship complete standalone .sources files. And we can validate the sources files, possibly checking the repository URL and/or having a blocklist for signing keys, copy it to sources.list.d, and then offer to install the packages listed in the file. The first stage of this is the easy |
|
This bug report is getting some new attention by way of trade press. As an Ubuntu developer and member of the Ubuntu Technical Board, I want to weigh in on the bug. In the short term, we should fix desktop-file-utils to not declare the snap store as a handler for .debs. It doesn't handle them, so this is clearly incorrect. In the long term, I believe this bug asking for automatic desktop handling of .debs through the snap store should be won't fix. Over a decade ago, we had forays into the use of extended attributes for tagging browser-downloaded files on the desktop, so that an extra verification step was required before executing downloaded files to protect users from accidentally running trojans. But people seem to think that if those same trojans are wrapped in a .deb file, point-and-click'ing your way to executing those same trojans AS ROOT is perfectly fine. Over the past decade, extras.ubuntu.com, then click packages, then snap packages have all had two main objectives:
Every third-party apt repository you enable on your system is an attack vector. Every third-party deb you install directly on your system is an attack vector. Every third-party app store you enable on your system is also an attack vector. (The first-party app store - archive.ubuntu.com+snapcraft.io - is also an attack vector. But you're always going to have at least one, and it's assumed that as a user of Ubuntu this is the one you've opted in to.) Any .deb you install can run arbitrary code at install time, unconfined, as root. It can also overwrite arbitrary files belonging to other core system packages, inject libraries into every running process using LD_PRELOAD nonsense, etc. As a user, I NEVER install any third-party .debs on my system without first rigorously inspecting the control file for the package, its contents (file paths), and any maintainer scripts to verify that there's no funny business going on. How do you expect to provide that level of safety in a GUI package installer for non-technical users? Even if you trust the publisher of the .deb, how do you make sure that it hasn't been tampered with in transit to your system? Do you trust https? Should users in Iran trust it? We should explicitly WONTFIX this. Installing third-party debs is a security minefield, and while we will never prohibit users from doing it, it is not something we should be explicitly enabling for non-technical users. There are much better ways that publishers SHOULD be distributing their software for Linux today. |
This comment has been minimized.
This comment has been minimized.
|
desktop-file-utils bug opened here: https://bugs.launchpad.net/ubuntu/+source/desktop-file-utils/+bug/2063855 |
I totally get what you're saying here and to a large extent agree with it. But what's the alternative? A skilled user will know enough to know whether they trust a third party .deb or not and can choose to install it or not as they see fit. An unskilled user, on the other hand, won't be prevented from installing a third party .deb, and in their frustration in trying to get it installed they probably won't be led to think more about "do you really trust this" by there simply being no graphical .deb installer. What they're going to do instead is Google some random blog site that will tell them to copy-paste commands into their computer, which they will then do (a security hole right there), and manage to get the app installed anyway without having done any security checks. Leaving a layer of frustration here will encourage insecure practices, not discourage them. What really might help from a security standpoint is to allow the user to install a third party .deb through Ubuntu's software store (removing the "random instructions from the Internet" security hole), but also give the user a stern warning about the implications of what they're doing (and maybe even a link to some security-educating documentation). That way a user who's just trying to get Google Chrome working will be able to say "well... I do trust Chrome, so... this should be OK," while a user that is trying to install some random game mods from someone's Google Drive will have some pause for thought before going ahead and doing the unsafe. Obviously it's not a total panacea, but I think it's more effective than simple frustration. |
|
I think Snap Store should manage Debian packages, though. It's like Microsoft Windows didn't have an easy way to click and install .msi files. Maybe they don't use Microsoft Store to do it, I don't know, but the need to open a terminal and install using the command line can be cumbersome for many people. I wouldn't say this about Arch, Gentoo, or even Debian, distros for more experimented users, but I will say that about Ubuntu since the niche is to be user-friendly, and not dealing with a simple, non-exoteric format like .deb packages is bad. I won’t expect to Ubuntu to deal easily with Flatpak, since it was determined that is out of scope, but .deb still is fair game. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I'd like to add that Valve still only offers official steam support on Linux for the Ubuntu operating system through the .deb package. (At least when I contacted them with an issue with a game.) That combined with the fact that most people coming from windows will automatically try to double-click an installer, to run it. I have friends who are scared to death of the command line and I have to recommend them away from Ubuntu because they can't install steam or other reputable, but really niche programs like manuskript by double-clicking. |
Android does it like this a warning appears on the entire screen that it is not safe in red and you have to wait 10 seconds to click I agree and am ready to accept the risk to install apk. Need just when he opens the deb file, the text will open why the deb version is not safe and he will be ready to accept the risks. And there will be large pictures in red with a warning, he accepts the offer and installation proceeds, but please, no timer |
|
Hi, I think this may well be out of scope for the app center, but it should be a feature that exists in the default Ubuntu installation, similarly to proprietary drivers. |
|
I honestly think this is a big mistake. Regardless the warnings, people such as my family members can now easily install software outside of the known Ubuntu ecosystem. Why would you allow that? Experts can just use apt install or gdebi for it. If one can't figure that out, perhaps installing software from other sources is not the best idea for them. I hope there will at least be a setting to block this feature. Can you comment on that? If not, I could of course block sudo for these users, but then they can't install anything from the software center either. Wrt the disregarding and locking in #1681 (comment) @Feichtmeier If the tab says "conversation", I think you should respect that or be clear in the instructions. Not everybody is a developer. |
|
@samvde This was handled a few days ago, and was released already. |
|
I think still have a problem to upgrade an existent package using .deb as
source. I will give my example: I downloaded the last intel-microcode
package from Debian but couldn't install using the App Center. The button
just does not become green so I can start the installation. I know this is
very tricky and potentially dangerous, but some apps like Zoom requires
periodically download and install new versions using .deb files because it
doesn't have a repository or a snap version.
Marcos Alano
…On Sun, Jun 16, 2024, 11:05 Didi Kohen ***@***.***> wrote:
@samvde <https://github.com/samvde> This was handled a few days ago, and
was released already.
Can someone close this issue?
—
Reply to this email directly, view it on GitHub
<#1407 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABN66R7FWKX4XRKISXH5USTZHWLR5AVCNFSM6AAAAAA5HUYPA2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNZRGY3TOOJSGM>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
@kohend They initially commented on the pull request that implemented this. There, a maintainer there recommend they bring the discussion here. But yeah, I think this issue can be closed as completed, though not locked. |
|
I tested and reinstall a package from a .deb file doesn't work. Should I open a new issue since this one will be closed? What do you think? |
|
The feature's merged, but I'm pretty sure there hasn't been any new release that includes it yet. Edit: @malventano, that's exactly what I meant. |
This is the exact attitude that perpetually delays Linux adoption. If a user can't install Ubuntu and then install Chrome or other very popular 3rd party .deb apps without dropping to the command line, the Ubuntu team has failed at their task.
Merged does not equal released.
Merged does not equal released. |
This is exactly what Ubuntu could have been doing from day one. But apparently user friendliness of Ubuntu is no more. This is really sad to see that it took this long to get it fixed. And in the latest clear Ubuntu 24.04 install you can't install a deb file anymore via a simple GUI / install button. Well, if this is how Ubuntu want to welcome Linux users be my guest. I will never recommend using Ubuntu distro to new Linux users. |
|
Well for me the power of giving a system to a family member with a store that is essentially curated far outweighs the benefit of installing random stuff from the internet with all the risks that brings. There are no "very popular .deb packages" for general users other than Chrome, which ships as Chromium for reasons well understood and has clear instructions how to get it installed if one insists. I believe this feature is a typical "vocal minority" request. Most people don't care nor need it, but will have less security because of it. |
|
Remembering installing a .deb package isn't a free for all activity. You still need to enter the password for admin user. |
|
@samuk Who are you lying to, just chrome? Seriously? What about Steam? |
|
|
Please, @vadimk1337 don´t say he is lying. That could block the issue. |
I understand, but still find this change a mistake. |
|
Yeah, but consider a person could install a .deb package from the command-line either, if they have an admin user with sudo permission. If there is malice intent the package will be installed. |
|
@samuk The Snap version of Steam is one of the worst examples of Snap applications. |
How about Steam or literally any remote desktop app that said family members would now have to talk their relative through dropping to the terminal just to get installed. Making the 2/3rd market share browser harder to install could have been a sole reason to not regress the existing functionality.
Instructions that are all outdated and/or broken ("where the heck did 'Software install' go, which I've heard multiple times lately). Also, nobody should have to 'insist' to install Chrome or Steam.
The vocal minority are those who are now having to help others figure out how to do something as trivial as install software on their OS. There were already warning messages present and they were more than sufficient. Putting roadblocks in the way of letting users sideload apps is detrimental to adoption, and it's also one of the major reasons Android got a leg up on iOS early on. Those developers who do not learn from history will only hurt Linux adoption overall. I work at a decent sized company. We are currently working on a project where our partners would install Ubuntu as a part of our solution. Many of these are competent IT folk who typically work with Windows. We have had to recommend folks stick with 22.04 primarily because of this issue, because it is that much more of headache for them to install something like Rustdesk so we can remote in for assistance / troubleshooting. If that most basic thing becomes so much more difficult, decision makers are not seeing the forest through the trees.
The hubris of this statement... "Let's just remove the easy GUI-driven way to load your own app because we know better than any potential user of the system". What's next, remove all privilege escalation prompts because the dumb user might enter their password when they shouldn't have? Remove 'sudo su' because nobody should ever need to do that? |
I would say it is just unpolite but ok :-) I have tried to set up a linux gaming rig with desktop Steam as a deb, snap, flatpak and from arch repositories on at least 3 different linux distributions and they all failed. And I am aware of that one developer that had negative comments on the snap as well. But I think this is off-topic, every distribution has its problems. I'd say go with another distribution, there are plenty. |
|
@samuk zoom, virtualbox is also deb. |
As stated above, Steam is in the store supported by Ubuntu. Steam is outside the discussion for me. Remote desktop is not a typical novice user requirement.
Those who offer third party installation methods should provide the instructions. As they do: https://support.google.com/chrome/a/answer/9025903?hl=en
I think this is vastly exaggerated, supporting a multitude of non-technical linux users for a decade now. You know what I think hurts linux adoption more? Making discussions unnecessarily personal where somebody just has another opinion as yourself. Look at this thread alone.
I would especially expect any enterprise environment to be against this and curate even more what gets onto a system. Competent IT folk surely can figure out how to run apt install.
This is such a ridiculous reaction that is does not warrant a reply. I strongly believe my statement is fact and you are free to disagree. If you can only ridicule, be my guest. |
Both available in the store. |
Steam snap is not approved by Valve. If you have problems with it, maybe you even could get support. |
Virtualbox isn't available as a Snap and also Zoom doesn't have an official version. That's why I complained before: I can't install a .deb file for an application already present in the system. Zoom doesn't have a repository, so every upgrade I need to re-download the .deb and reinstall. |
Novice users never need remote support from someone more experienced? Nice theory.
More hubris. Cool.
apt install of a .deb throws warnings at the end of the process, but nice of you to show the wrong way to install the .deb package.
Except all of the places where it is clearly opinion, vs. the fact that regressing a UI flow from one release to the next is just plain bad UX. The fact that a fix has already been merged demonstrates that it is in fact your opinion that is in the minority, and cooler heads have thankfully prevailed. The reality is that the change should not have been made until it was on feature-parity with the prior release. Devs probably underestimated the demand for that feature and realized it would only get more complaints as folks moved over to the newer installer. |
|
This is a bugtracker, not a debate forum. The code that enables local deb installation is already merged into Git from what I understand. Could someone please lock this? This is getting annoying. @Feichtmeier @samvde @d-loose |
Don't forget WineGUI. Also deb. But yeah, just lock this issue.. I think we all made our points now.. Just lock it. I will move to Linux Mint anyway 🗡️ |
|
+1 on Mint/ Debian. Glad https://distrowatch.com/ still exists |
and others
There's no support for dealing with local packages yet. However 'snap-store' is supposed to handle those by default:
Do we have an alternative way of handling those for the time being?
The text was updated successfully, but these errors were encountered: