[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg feature implementation



On Wed Jan 06 13:13, dE . wrote:
> There is always a security problem when it comes to installing
> something which's not directly downloaded form a trustable
> server...whether it be source codes or deb package of a software
> which's not in the repository or even if someone gave it to claiming
> it's form the repos...you never know.

Which is why we try to arrange that everything _does_ come from the
repository.

> The sdebp poses the same security issues as with deb packages...after
> all it's just many deb packages made into a single archive...there's
> hardly any difference. As a result I'm with Martin...it need to be a
> third party application or a new component of apt, not a dpkg
> modification.

Except that the suggestions here involve getting the deb from a trusted
source (either a mirror, or a CD, both of which are cryptographically
assured).

I think if you do want to persue some kind of single 'blob' which
contains multiple packages, this is mainly a tooling issue. If there was
a tool to very easily build a CD iso which was a mirror containing a
single package + depends and then a 1-click method of adding that mirror
and installing everything on it, that would seem to suffice. It would
also keep the separate packages from the point of view of the system,
which is nice. However, I agree that this is not something which should
be part of dpkg itself.

However, I think your target user of 'doesn't have a regular internet
connection' is a rapidly shrinking market. Who in western countries
doesn't have always on internet already? Even in third-world countries
the set of people with a computer but no access to sufficient internet
to update packages on it is small (particularly if you only count people
who can download to a USB stick, but not directly to their computer).
For the rest, getting a copy of the DVD isn't hard.

Matt

-- 
Matthew Johnson

Attachment: signature.asc
Description: Digital signature


Reply to: