Re: Facilitating external repositories
Hi Wouter,
2015-06-07 11:08 GMT+02:00 Wouter Verhelst <wouter@debian.org>:
> On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
>> Wouter Verhelst wrote:
>> > At $DAYJOB, I'm maintaining a few repositories with ready-to-install
>> > packages for a number of distributions[1]
>> >
>> > Currently, the instructions[2] say to do the following:
>> > - Download and install an "eid-archive" package, which contains the GPG
>> > keys and generates a sources.list.d file for the repository;
>> > - Run "apt-get update";
>> > - Install the "eid-mw" and/or "eid-viewer" packages.
>> >
>> > This works, but it has a number of downsides:
>> > - The second step, "run apt-get update", is often overlooked; this seems
>> > to be the case especially for users of Ubuntu, where the default
>> > handler for installing packages is the "Software Center", a GUI
>> > software management tool that doesn't have any UI element for doing
>> > (the equivalent of) apt-get update
>> > - There is no trust path from your already-installed distribution to the
>> > "archive" package (yes, I did sign the gpg keys; no, I don't consider
>> > that enough).
>> > - It still requires users to manually install packages.
>>
>> Given that the packages in question appear to be Free Software (at least
>> from a quick check of a couple of them, as well as the repository being
>> named "main"),
>
> Correct, it's all under GPLv3.
>
>> is there a reason you don't maintain them in Debian
>> (including backports or volatile if you need to provide the newest
>> packages for older distributions)?
>
> As others have pointed out, the said software used to be in Debian (I
> was its maintainer). The reasons for pulling it were long, complicated,
> and boring; suffice to say that there were some practical problems.
>
> (the ftp.d.o bug says "no reply from maintainer", which is only half the
> story. At the time I was aware of issues starting to build around beid,
> and trying to figure out how to fix them; I should've probably replied,
> but it occurred to me that pulling was probably a good strategy, at
> least in the short term)
>
>> If that's not an option for some reason, then given that the packages
>> are Free Software and of reasonably broad interest, you could at least
>> upload a package to Debian containing the archive key, similar to
>> pkg-mozilla-archive-keyring; that would establish a trust path. (Which
>> doesn't solve the usability problem, but it does solve the trust
>> problem.)
>
> True, but I don't think it is the best way forward.
>
> First, it would work for me, as long as I'm still contracting for the
> government[1]. However, due to it being a *government* contract, this is
> an inherently time-limited situation[2]. I want this situation to remain
> manageable after the end of my contract.
I think this situation still allows maintaining the packages in
Debian, when (if ever) your contract ends and you don't want to
maintain the packages in your free time you can orphan the packages.
The next maintainer could adopt the packages then.
I think this is simple, doable and does not require building trust
with external repositories which I think is not a great idea
generally.
Cheers,
Balint
Reply to: