[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unofficial package repository and the bugs system

Fabrizio Polacco <fpolacco@icenet.fi> writes:
> Instead of discussing if we should or not _allow_ such repositories, we
> should create a system that would permit users to notice when they are
> installing "unofficial" packages _before_ they do that.
> What I would like to see is a version of dpkg (not dselect or deity)
> that checks a "signature" (or a sort of) on each package and inform
> users of the "unofficiality" of each package, asking permission to
> install as root. Such dpkg should not only accept Debian's signature,
> but also signatures from some third party (for example a commercial
> distribution derived from Debian and that has a commitment with us), or
> packages built directly by the user itself.

There is a system for checking after the fact - check out:

Of course, it's be running for a whole month and a half and nobody
has used it other than myself.  Oh well.  :-)

If there is a problem with people filing bug reports for non-Debian
packages (with the same name) in the Debian bug system, then it
might be necessary for the bug system to also require the maintainer
name of the package, and a verified package signature.

But that seems like an awful lot of work -- especially when the
problem hasn't occurred yet.  I don't want to impose any rules on
the contributors to the unofficial repository, but if they are
making .deb packages - I'd bet they are going to be fairly
respectful of Debian rules anyway.  Why tick off your users?


 - Jim

Attachment: pgpb1qLRFTTX9.pgp
Description: PGP signature

Reply to: