On Wed Jan 06 13:13, dE . wrote: > There is always a security problem when it comes to installing > something which's not directly downloaded form a trustable > server...whether it be source codes or deb package of a software > which's not in the repository or even if someone gave it to claiming > it's form the repos...you never know. Which is why we try to arrange that everything _does_ come from the repository. > The sdebp poses the same security issues as with deb packages...after > all it's just many deb packages made into a single archive...there's > hardly any difference. As a result I'm with Martin...it need to be a > third party application or a new component of apt, not a dpkg > modification. Except that the suggestions here involve getting the deb from a trusted source (either a mirror, or a CD, both of which are cryptographically assured). I think if you do want to persue some kind of single 'blob' which contains multiple packages, this is mainly a tooling issue. If there was a tool to very easily build a CD iso which was a mirror containing a single package + depends and then a 1-click method of adding that mirror and installing everything on it, that would seem to suffice. It would also keep the separate packages from the point of view of the system, which is nice. However, I agree that this is not something which should be part of dpkg itself. However, I think your target user of 'doesn't have a regular internet connection' is a rapidly shrinking market. Who in western countries doesn't have always on internet already? Even in third-world countries the set of people with a computer but no access to sufficient internet to update packages on it is small (particularly if you only count people who can download to a USB stick, but not directly to their computer). For the rest, getting a copy of the DVD isn't hard. Matt -- Matthew Johnson
Attachment:
signature.asc
Description: Digital signature