[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Facilitating external repositories

On Sat, Jun 06, 2015 at 01:48:12PM +0800, Paul Wise wrote:
> On Sat, Jun 6, 2015 at 8:13 AM, Brian May wrote:
> > the software is far to volatile (e.g. important bug fixes on a weekly basis)
> We have a place for such software: experimental
> > I don't want old versions hanging around any longer then absolutely required
> We have a place for such software: experimental

That only works for people who have rights to upload something to the
Debian archive. Do we really want to force all third-party developers to
become DMs or DDs?

Also, there are things too volatile even for experimental -- e.g.,
https://files.eid.belgium.be/debian/continuous contains the results of
our CI builds (signed by a different key); while useful for me and
people interested in following along with what's going to happen, this
is hardly something that should be uploaded to experimental.

(in my specific case, there is also a general feeling that the Belgian
Government shouldn't point its citizens to something not compiled by
systems inside government premises and/or signed by a third party)

> > I note the original poster mentioned Ubuntu PPAs and add-apt-repository; my
> > understanding is that these don't solve the trust issue, I seem to recall
> > the user is shown a fingerprint and asked to confirm it is correct (based on
> > what???) - however I don't have an Ubuntu box I can test this on right now.
> I would guess based on the OpenPGP web of trust or the user's trust in
> their OS that trusts the SSL CA that signed the Launchpad certs.

I hadn't actually looked in detail at whether add-apt-repository solves
the trust issue for PPA's; I just note that due to the fact that
Ubuntu's PPA's are all on the same system, it is in theory at least
possible for it to check the trust path.

It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26

Reply to: