Jonas Meurer: > Am 17.10.18 um 12:00 schrieb Marco d'Itri: >> On Oct 17, Holger Levsen <holger@layer-acht.org> wrote: >> >>> yes, but when using your repo one has to add your key to the keys apt >>> trusts, and this is something completly different than using proper >>> backports. >> Well... I trust much more Ondrej's archive since over the years it has >> proven its quality and scope, while new packages are uploaded to >> backports sometimes without much testing. > > I agree that Odrej's packages (from deb.sury.org) have been of good > quality in the past and I'm a happy user of them myself for situations > where php7.1 or newer is needed on servers running Stretch. > > Still I agree with Holger and would prefer packages from official Debian > infrastructure for two reasons: > > * The packages (except for binary uploads) are known to be *built* on > Debian infrastructure. In case of sury.org I have no doubts that > Ondrej takes care of a good build environment. But for average users, > being able to get packages from official Debian infrastructure gives > them more confidence. Reproducibility testing could probably be employed here in order to gain confidence of the packages in an external repository. (I see there's a 'reprotest' package that seems meant to help with this.) > * Adding backports to my sources.list doesn't automatically pull any > packages from there. I have to choose particular packages in a manual > process in order to install them from backports. That's different for > repositories like sury.org that provide packages under the release > target (e.g. 'stretch'). > If I add deb.sury.org to my sources.list, then installed packages with > newer versions in this repo are automatically upgraded. This makes it > much easier to abuse the repo, e.g. in order to spread malware. In > other words, the attack vector is way larger. There's an available middle-ground, which is to add an additional repository to the sources.list file and add an apt Pin-Priority in /etc/apt/preferences.d/ for that repository (of say priority 150) such that any installed packages from the additional repository get updated, but any not-already-installed packages from the additional repository aren't automatically used for upgrades. See 'man apt_preferences' for details. -- Chris -- Chris Knadle Chris.Knadle@coredump.us
Attachment:
signature.asc
Description: OpenPGP digital signature