Am 17.10.18 um 12:00 schrieb Marco d'Itri: > On Oct 17, Holger Levsen <holger@layer-acht.org> wrote: > >> yes, but when using your repo one has to add your key to the keys apt >> trusts, and this is something completly different than using proper >> backports. > Well... I trust much more Ondrej's archive since over the years it has > proven its quality and scope, while new packages are uploaded to > backports sometimes without much testing. I agree that Odrej's packages (from deb.sury.org) have been of good quality in the past and I'm a happy user of them myself for situations where php7.1 or newer is needed on servers running Stretch. Still I agree with Holger and would prefer packages from official Debian infrastructure for two reasons: * The packages (except for binary uploads) are known to be *built* on Debian infrastructure. In case of sury.org I have no doubts that Ondrej takes care of a good build environment. But for average users, being able to get packages from official Debian infrastructure gives them more confidence. * Adding backports to my sources.list doesn't automatically pull any packages from there. I have to choose particular packages in a manual process in order to install them from backports. That's different for repositories like sury.org that provide packages under the release target (e.g. 'stretch'). If I add deb.sury.org to my sources.list, then installed packages with newer versions in this repo are automatically upgraded. This makes it much easier to abuse the repo, e.g. in order to spread malware. In other words, the attack vector is way larger. Cheers jonas
Attachment:
signature.asc
Description: OpenPGP digital signature