Re: List of consultants focusing on Debian packaging for Java?
On Mon, Dec 07, 2020 at 02:26:01PM +0100, Hans-Christoph Steiner wrote:
> Third party package repositories are a thing, like Ubuntu PPAs, aptly,
> JFrog Debian Repositories, etc. Unfortunately, due to Debian Apt's
> design, that means giving root access to each repository (package
> pre-install/remove/etc scripts are run as root). So installing via
> external repositories means the user need to consider whether they
> trust those third party repositories with root access.
It isn't entirely unfortunate.
Users, and especially system administrators, ought to be minimally
trusting of external resources. The TCB must be kept small, or security
is an illusion.
Apt's design, IMO, encourages people to think twice - and ideally to
stop themselves - before they install software. Especially software
from outside Main, and *especially* software from outside Debian.
Put differently: yes, third party package repositories are a thing. But
they are mostly not a good thing, and they should probably not be
encouraged.
Far, far better for the OP to keep the focus on getting OpenRefine into
Debian properly, rather than to consider expending time and resources on
less beneficial outcomes.
(BTW, Hans-Christoph, I think you were, above, trying to point out
pitfalls of third party repositories; not trying to encourage their use.
So, my email is not intended as a dig at you at all. I just wanted to
point out that Apt's design is in many ways something to be glad about.
I am grateful to the Apt developers and to responsible Debian packagers
everywhere, and I would be happy for this gratitude to one day also
extend to whoever ends up packaging OpenRefine for Debian.)
--
A: When it messes up the order in which people normally read text.
Q: When is top-posting a bad thing?
() ASCII ribbon campaign. Please avoid HTML emails & proprietary
/\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.
Reply to: