micah anderson <micah@debian.org> (2015-04-19): > You pointed out that apt will happily install a package from backports > if it is not available in the base suite, which might mean that you > don't realize that you are going to install something from backports > because you didn't explicitly ask for it... > > However, I don't see how this is a 'ticking time bomb', that seems a > tad hyperbolic. If someone wanted to install 'zmap' on wheezy, they do > apt-get install zmap, find out there is no zmap package available, > what happens next from my observations is they either give up thinking > that the package just isn't available in debian, or they enable > backports and then install zmap. The first one seems worth fixing, the > second seems worth making easier. > > If you install zmap from backports and see that it is pulling from > backports during the install and you really didn't want things from > backports for some reason (and I can't think of a reason), you can > always interrupt the process, or just remove the package after its > finished installing. > > Backports isn't some rouge repository filled with broken packages that > are uploaded by untrustworthy people. I never called packages broken or people untrustworthy; the fact is these packages haven't had the same amount of testing within the said suite as packages which were released in stable. Packages sometimes bitrot in backports, with unfixed security issues, up to the point they get removed. That can also happen because they're not supportable anymore (e.g. owncloud in wheezy-backports). Now we have debian-security-support for pathological cases in stable; does that work for backports? I'm pretty sure running a no longer supported owncloud instance is one of the worst things you can do with your data… > One of the first things I do on every debian stable system I install > is add backports entries to sources.lists. One of the most frequent > confusions of people I support, who are using Debian, is > unavailability of packages. I tell them to install X package, and they > say "its not in Debian" and then I have to discuss with them about how > to discover that there is a package available in backports and how to > enable it and get it. Simplifying this user experience seems worth > it. Maybe the docs we have are not good enough; surely we can do better at educating users. Enabling backports by default with the risks that it involves doesn't seem to quite be a reasonable trade-off as far as user experience is concerned. Mraw, KiBi.
Attachment:
signature.asc
Description: Digital signature