[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Other things Gentoo have (was: Re: Lagging behind on security?)

On Fri, Jan 10, 2003 at 03:11:34PM -0200, Pablo Lorenzzoni wrote:

> | I think any tool that allows users to install software directly from
> | upstream without that software first being vetted by a maintainer should
> | be kept as far away from Debian as possible.  The QA process in Debian is
> | already much weaker than I wish it would be; I don't see any reason why
> | we should *endorse* a tool that bypasses all QA in this manner.

> I understand your concearn, but we already "allow" rpm packages to be 
> installed w/o any QA. I don't see any reason why we should't do the same with 
> a Ports-like system.

Ever tried it?  The Debian 'rpm' package does not let you install rpms on
your system without a fair amount of hand-adjustment.  This is quite

> As I said before: **I am not trying to replace dpkg/apt** These are our 
> standard and I think they should go on being our standard. These are the 
> packages that should pass through our QA team.

> Everything should remain as it is (with improvements where needed, of course,
> but mainly as it is). This Ports-like tool is just another package, as rpm
> is.

But you proposed apt-gar, which would bless this with the 'apt' name; and
you proposed a system where source code is pulled directly from upstream
sources without review by maintainers, which as I said I didn't think
even the ports systems did.

There are only two ways such a system can work: it can either interface
with the Debian packaging system, or it can ignore that system.  If it
interfaces with it, who writes the maintainer scripts?  Who checks for
policy compliance?  Debian has the good fortune that most .debs -- even
those *not* in the archive -- are largely policy-compliant: unlike rpms.
This would certainly change with autogenerated packages.  If it doesn't
interface with the packaging system, how do you prevent it from
overwriting files installed by an already-installed package?

I don't object to a ports-like system for Debian; I object to the idea of
pulling anything directly from upstream and installing it on a Debian
machine using Debian-provided tools.

> Come on... is it really that a big deal? It's just some way for
> advanced users to generate .deb packages from upstream tarballs. Maybe
> even we, developers, could have some use for it, after all...

I don't think advanced users are the ones most likely to use such a tool.

Steve Langasek
postmodern programmer

Attachment: pgpM7D5DpRgT5.pgp
Description: PGP signature

Reply to: