You are here

Using the *nix way to improve PortableApps.com Services (Repositories, Apps Portabilizer for average user)

9 posts / 0 new
Last post
José Pedro Arvela
Offline
Last seen: 5 years 11 months ago
Joined: 2007-07-10 07:29
Using the *nix way to improve PortableApps.com Services (Repositories, Apps Portabilizer for average user)

I have a lot of ideas that can improve PortableApps.com Srevices (that are already great, by the way).

Resuming, is to provide a PortableApps.com Package Manager and repositories; and to portabilize the apps that can't be made portable in a way that wont confuse the average user.

 

For starting: a PortableApps.com repository with a matching up PortableApps.com Package Manager.

My idea is a online repository. This would have links to the Aplications download. But SourceFourge has the files in a lot of servers. Well, that is a advantage. For example, here is the download link for Portable Gimp from the Berlin Germany Server. This link won't pass trough the download page, it will open the "Do you want to download this?" window. And here is the good part about this. If a package manager is made, people can choose the server where to download the package from.

My idea is a bit basic: the repository is nothing more that a set of regular html pages linking to the packages. The structure I have in mind is a little bit like this (in this case viewing Gimp Portable trough the Berlin, Germany Server):


Repository Root
+Asia
+Australia
-Europe
  +Belgium
  +Switzerland
  -Germany
    -Berlin
      +Accessibility
      +Development
      +Games
      -Graphics & Pictures
        Gimp Portable (link)
        Gimp Portable.txt
      +Internet
      +Music & Video
      +Office
      +Operating Systems
      +Utilities
    +Duesseldorf
  +France
  +Ireland
  +Netherlands
  +UK
+North America
+South America

Portable Gimp in this case is just a Page with the classic Gimp Portable & on a normal Webpage. You see a ampersand on the link, that ampersand would say to the Package Manager that the link is a download link instead of linking to another page. There would also exist a Gimp Portable.txt (with a .ini layout) for describing the application.

This would look like this:


[PortableAppDescription]
App=Gimp Portable
AppVersion=2.2.17
AppMaintainer=John Haller
AppDescription=GIMP Portable is the popular the GIMP for Windows image editor packaged as a portable app, so you can take your images with you and do your editing on the go.

 
All that the Package Manager would do is to search these links to the download page and list them, using the text file to describe them. Then, if a person chooses to install it, it would download the app and do a silent install, showing the progress on a progress meter.
This way any person that has some basic html skills and a lodging can create his own Repository, that could be allowed to be used in the Package Manager for PortableApps as a 3rd party repository.

Also, if there was some 3rd party repositories that were approved by PortableApps.com there could be a list of approved repositories and even a black list. These lists would be code signed. The package manager would download these to see if the actual repositories are PortableApps.com certified repositories. Besides that, John Haller (or any other maintainer) would give signatures to the owners of the repositories to maintain security.
These repositories would add a little image (maybe the PortableApps.com logo) in side with that repository apps. If a repository wasn't PortableApps.com certified, this would show no picture. If the repository was on the PortableApps.com black list this would inform the user with a pop-up that the repository is on the black list when this was added, and would add a red "X" in side with that repository apps. If the repository code signing and the white/black list wouldn't match, than the Package Manager would inform the user that he might be a victim of forgery when he added the repository and add a question mark in side with that repository apps.

 

The second idea: Being able to have closed source apps without breaking any license.

This could be used with Java Portable. First the Installer would check if the app to be portabilized is installed on the host PC. Then, if not, this would download the installer from net, install on the host PC, Make the necessary changes to make it Portable, and un-install it. If the app was installed on the host PC, it is easier, just portabilize the app from that install.

This could seem a PortableApps.com regular installer to the average person, but in fact, this would be portabilizing the app. This technique is very used in Unix/Linux world. IEs4Linux uses this technic.

This way, almost any app (open or closed source) could be installed. This wont break the app license, and wont confuse the average user.

 

Well, this is my idea. For further development of this idea you can e-mail me to ptmb.papps[at]gmail[dot]com.

 

Changelog:

13/09/07 - Refinement of the PortableApps.com certified repositories idea.

12/09/07 - Added code signed PortableApps.com certified repositories list and PortableApps.com black list based on the suggestion of rab040ma.

11/09/07 - Added PortableApps description to the repository idea

09/09/07 - Initial idea

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 15 years 1 month ago
Joined: 2006-01-06 21:27
.

We were working on a solution like the first, however our main guy is MIA, so development has stopped. I'm hoping John might want to incorporate some of our ideas into it.
Also, if you simply use a downloader to get the download page, it will automatically reroute it so that you just get the file.

With regards to the second one, you've been around here long enough to know that John's getting a freeware server up soon.
----
Ryan McCue.
Blog.
So all that Airbus-delay trouble over here in Europe is because of YOU!
Simeon.

"If you're not part of the solution, you're part of the precipitate."

José Pedro Arvela
Offline
Last seen: 5 years 11 months ago
Joined: 2007-07-10 07:29
The second one is because...

...of the license. That way any app can be made portable, because there's no license being broken. That way Freeware apps licenses aren't broken. I've had already forgot about the freeware server. Blum

____________________
The Blogger of Portimão now in English. And the Portuguese version can be found here.

Blue is everything.

José Pedro Arvela
Offline
Last seen: 5 years 11 months ago
Joined: 2007-07-10 07:29
Update

The repository idea as been updated. It was added support for description.

____________________
The Blogger of Portimão now in English. And the Portuguese version can be found here.

Blue is everything.

rab040ma
Offline
Last seen: 5 months 2 days ago
Joined: 2007-08-27 13:35
Package manager

I like the idea of automating the portablizing of any app, but think we should approach it with a bit of caution, since many software companies might think it violates their terms of use. Many others specifically license their software to a user, who can use it on any machine (or that sort of thing), in which case there would be no problem, but they aren't all that way.

You haven't mentioned code signing -- in fact I haven't seen code signing anywhere on the site. I'd want to see more of the releases be signed, either with a codesigning certificate such as might be obtained from cacert.org, or at the very least with a GPG key. Even publishing a (signed) list of hashes would probably do the job. The package manager could then check before installing the software, and give the end user an option if the software is not signed or, more importantly, does not match the signature.

We could insist that there be only one code signing key for all packages, but we could also simply publish a list of keys for contributors or hashes for installers and apps. I'm more concerned that the software is still in the same condition as when it left the programmer's or reviewer's desktop, than that the programmer or reviewer or librarian spent a lot of money to get a code signing certificate from Verisign.

Sorry if that seems too paranoid, I get that way sometimes.

MC

José Pedro Arvela
Offline
Last seen: 5 years 11 months ago
Joined: 2007-07-10 07:29
Nice idea

I think it is a nice idea.

The portabilizing of the apps, as I said, is just for apps with licenses that allow that (for example: freeware), so it wouldn't be possible to see a portabilized PhotoShop.

The code signing may be a good idea. A key that says that the repository is a PortableApps.com certified repository (even to 3rd party repositories) that would be on the top of the repository. If the app was on a PA.com certified repository, the it would show a icon that represents that info next to the app (like on Ubuntu repositories).

Even better, and safer Wink , was to exist a list of certified repositories on the PortableApps.com server. Every times that the package manager started, this could compare the repositories used with the PortableApps.com certified repositories list too see which repositories are certified or not. This would be safer because there's no possibility of making a fake a code signing (even being hard or not to make one).

I will even update the idea whit your idea.

____________________
The Blogger of Portimão or O Blogger de Portimão. This week article is: Correct predefined font on Firefox (or Portable Firefox) in Wine.

Blue is everything.

rab040ma
Offline
Last seen: 5 months 2 days ago
Joined: 2007-08-27 13:35
Paranoia

Those of us who are really paranoid would question using just a list of sites, since sites can be compromised and DNS might get poisoned. A signature stays with the app, so you could get the package from anywhere and have pretty good assurance that the package hadn't changed since it was signed. A signed list of sites might be okay too, but again, listing a site might get you into trouble if the site or DNS is compromised.

A self-signed signature might be replaced with another, but it wouldn't be accepted unless the signing certificate were acceptable. Using a CA like cacert would make that even more difficult to fake. But just having a well known signing key would be enough. No one but the holder of that key (e.g. the repository librarian, or John H, or whoever) would be able to make a sig. If you keep the certified key on a machine that is not connected to the Internet (for example) it would be very difficult indeed for it to be misused. And that is what we want.

MC

José Pedro Arvela
Offline
Last seen: 5 years 11 months ago
Joined: 2007-07-10 07:29
Well

The solution would be a mix of the two. A certified white list and black list, and a signature for each package. If they don't match, then the package manager would inform the user of that. I'll upload the idea.
 
____________________
The Blogger of Portimão or O Blogger de Portimão. Free your mind...

Blue is everything.

BuddhaChu
BuddhaChu's picture
Offline
Last seen: 5 months 5 days ago
Joined: 2006-11-18 10:26
Good call

Good call on using cacert.org...great site/service and great idea.

Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!

Log in or register to post comments