Re: PPAs for Debian

To: debian-devel@lists.debian.org
Subject: Re: PPAs for Debian
From: Mike Hommey <mh@glandium.org>
Date: Wed, 4 May 2011 07:57:47 +0200
Message-id: <[🔎] 20110504055747.GB3613@glandium.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 201105040123.25531.debian@kitterman.com>
References: <4DB99028.5020005@dogguy.org> <[🔎] 20110504040247.GD10411@kirya.net> <[🔎] BANLkTikZoQCZsO2G3=--rBZgdTPAuC39dw@mail.gmail.com> <[🔎] 201105040123.25531.debian@kitterman.com>

On Wed, May 04, 2011 at 01:23:12AM -0400, Scott Kitterman wrote:
> On Wednesday, May 04, 2011 12:16:54 AM Paul Tagliamonte wrote:
> > On Wed, May 4, 2011 at 12:02 AM, Julien Valroff <julien@debian.org> wrote:
> > > Le mercredi 04 mai 2011 à 00:02:01 (+0200 CEST), René Mayorga a écrit :
> > >> On Tue, May 03, 2011 at 11:30:41PM +0200, Stefano Zacchiroli wrote:
> > >> > After all, in that  respect what is the difference between that and
> > >> > unofficial APT repositories that many of us already maintain at
> > >> > people.d.o/~something or something.debian.net? Do you want to shut
> > >> > them down as well?
> > >> 
> > >> no, I was expressing over the PPA as an official services that allow
> > >> users to upload any package without any quality control.
> > > 
> > > AFAIU, only DD and DM could create PPA and upload to them. If this is not
> > > the case, then I share your fears.
> > 
> > Usage of the PPA system on LP requires that you agree to the usage
> > terms (not unlike machine usage policies for Debian).
> > 
> > We let non-MOTU upload to their own PPAs (has their name in the URL),
> > and if nonfree (or malicious) packages are uploaded, they can have PPA
> > rights removed.
> > 
> > There's been one issue I can recall, and it was only a very very
> > slight DFSG technicality.
> 
> That depends on what you mean by 'issue'.  I think exactly the issues that 
> concern some people in Debian about packages of 'poor quality' being generated 
> in an uncontrolled PPA system are happening with regularity in Ubuntu.  
> Although it doesn't happen every week or anything, it's happened more often 
> than I can recall that someone files a bug in Ubuntu about broken PPA packages 
> done by some random non-developer.  I believe Debian is quite correct to be 
> concerned about the potential for user confusion and damage to Debian's 
> reputation for high quality work.
> 
> PPAs as a developer tool are one thing, PPAs as a tool for random uploads, I 
> think are quite another.  I'd hate to see Debian make the same mistake that 
> Canonical did in this regard.

Add to that that allowing random people to upload packages to be built
on Debian build daemons is a recipe to have the buildds compromised.

Mike

Reply to:

Follow-Ups:
- Re: PPAs for Debian
  - From: Roland Mas <lolando@debian.org>

References:
- Re: PPAs for Debian
  - From: Julien Valroff <julien@debian.org>
- Re: PPAs for Debian
  - From: Paul Tagliamonte <paultag@ubuntu.com>
- Re: PPAs for Debian
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Re: glibc: causes segfault in Xorg
Next by Date: Re: PPAs for Debian
Previous by thread: Re: PPAs for Debian
Next by thread: Re: PPAs for Debian
Index(es):
- Date
- Thread