Re: PHP Support in Debian

To: debian-devel@lists.debian.org, jonas@freesources.org
Subject: Re: PHP Support in Debian
From: Chris Knadle <Chris.Knadle@coredump.us>
Date: Sat, 20 Oct 2018 01:50:00 +0000
Message-id: <[🔎] 27b725c9-bd38-7db7-36a8-9eacf6c5260b@coredump.us>
In-reply-to: <[🔎] 56ae0ae6-12e7-7ad4-e5be-b88c2e015d9f@freesources.org>
References: <[🔎] 90e309db2cff6144e83cc3084038e611@bzed.de> <[🔎] F9D55A43-B205-4614-934C-399205BF34E6@sury.org> <[🔎] 20181017091630.ccr4wlbendndn56v@layer-acht.org> <[🔎] 20181017100000.GC5328@bongo.bofh.it> <[🔎] 56ae0ae6-12e7-7ad4-e5be-b88c2e015d9f@freesources.org>

Jonas Meurer:
> Am 17.10.18 um 12:00 schrieb Marco d'Itri:
>> On Oct 17, Holger Levsen <holger@layer-acht.org> wrote:
>>
>>> yes, but when using your repo one has to add your key to the keys apt
>>> trusts, and this is something completly different than using proper
>>> backports.
>> Well... I trust much more Ondrej's archive since over the years it has 
>> proven its quality and scope, while new packages are uploaded to 
>> backports sometimes without much testing.
> 
> I agree that Odrej's packages (from deb.sury.org) have been of good
> quality in the past and I'm a happy user of them myself for situations
> where php7.1 or newer is needed on servers running Stretch.
> 
> Still I agree with Holger and would prefer packages from official Debian
> infrastructure for two reasons:
> 
> * The packages (except for binary uploads) are known to be *built* on
>   Debian infrastructure. In case of sury.org I have no doubts that
>   Ondrej takes care of a good build environment. But for average users,
>   being able to get packages from official Debian infrastructure gives
>   them more confidence.

Reproducibility testing could probably be employed here in order to gain
confidence of the packages in an external repository.  (I see there's a
'reprotest' package that seems meant to help with this.)

> * Adding backports to my sources.list doesn't automatically pull any
>   packages from there. I have to choose particular packages in a manual
>   process in order to install them from backports. That's different for
>   repositories like sury.org that provide packages under the release
>   target (e.g. 'stretch').
>   If I add deb.sury.org to my sources.list, then installed packages with
>   newer versions in this repo are automatically upgraded. This makes it
>   much easier to abuse the repo, e.g. in order to spread malware. In
>   other words, the attack vector is way larger.

There's an available middle-ground, which is to add an additional repository to
the sources.list file and add an apt Pin-Priority in /etc/apt/preferences.d/ for
that repository (of say priority 150) such that any installed packages from the
additional repository get updated, but any not-already-installed packages from
the additional repository aren't automatically used for upgrades.

See 'man apt_preferences' for details.

  -- Chris

-- 
Chris Knadle
Chris.Knadle@coredump.us

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: PHP Support in Debian
  - From: Jonas Meurer <jonas@freesources.org>

References:
- PHP Support in Debian
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: PHP Support in Debian
  - From: OndÅ™ej SurÃ½ <ondrej@sury.org>
- Re: PHP Support in Debian
  - From: Holger Levsen <holger@layer-acht.org>
- Re: PHP Support in Debian
  - From: Marco d'Itri <md@Linux.IT>
- Re: PHP Support in Debian
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: RFA: spice-vdagent - spice agent for linux
Next by Date: Re: Debian Buster release to partially drop non-systemd support
Previous by thread: Re: PHP Support in Debian
Next by thread: Re: PHP Support in Debian
Index(es):
- Date
- Thread