Re: additional virtual packages for kde

To: Rob Browning <rlb@cs.utexas.edu>
Cc: Debian Policy <debian-policy@lists.debian.org>, Andreas Jellinghaus <aj@dungeon.inka.de>
Subject: Re: additional virtual packages for kde
From: Christian Schwarz <schwarz@monet.m.isar.de>
Date: Sat, 29 Nov 1997 11:29:22 +0100 (CET)
Message-id: <[🔎] Pine.LNX.3.96.971129112630.32747B-100000@monet>
In-reply-to: <[🔎] 87iutduerw.fsf@nevermore.csres.utexas.edu>

On 28 Nov 1997, Rob Browning wrote:

> Christian Schwarz <schwarz@monet.m.isar.de> writes:
> 
> > I think such a "blacklist" goes too far (cf. the current discussion on
> > debian-private about "censored" packages). I don't think we should
> > maintain such a list.
> > 
> > However, we should probably implement something like the "Origin:" field.
> > With that, dpkg could keep a list of vendors from which packages have
> > already been installed on the system. If one tries to install a package
> > from an unknown vendor (i.e., someone from which no packages have been
> > installed already), dpkg should issue a warning before performing the
> > installation.
> 
> Origin: is probably a good idea, but may very well be too general for
> some important applications.  What do we do if a particular source has
> packages contributed by their people that are for the most part fine,
> but there are one or two that are *really* broken.  I know "blacklist"
> has bad connotations, but in some cases it may be the right thing to
> do.

I still think that it's not our job to "judge" which packages are fine and
which are not. What we can probably do, is to set up a web page which
explains packages from third parties and describes their problems, but
"hardcoded" a list into dpkg is too much, I think. If the user decides to
install a package from someone else, he/she should be free to do it. dpkg
could warn then, if the origin is unknown (i.e., if the PGP signature
can't be checked) but should actually perform the installation if some
--force-unknown-origin flag is set.

> I suppose we can just wait until this is actually an issue -- we don't
> really have any pressing reason to worry about it now.

That's a good idea.

Anyways, I think everyone here agrees that such a new control field would
be useful. When I prepare the next policy weekly posting I'll have a close
look at the previous suggestion about PGP signing packages and how this
could be extended with an "Origin:" tag. We'll see.


Thanks,

Chris

--                  Christian Schwarz
                     schwarz@monet.m.isar.de, schwarz@schwarz-online.com,
Debian is looking     schwarz@debian.org, schwarz@mathematik.tu-muenchen.de
for a logo! Have a
look at our drafts     PGP-fp: 8F 61 EB 6D CF 23 CA D7  34 05 14 5C C8 DC 22 BA
at    http://fatman.mathematik.tu-muenchen.de/~schwarz/debian-logo/

Reply to:

Follow-Ups:
- Re: additional virtual packages for kde
  - From: Rob Browning <rlb@cs.utexas.edu>

References:
- Re: additional virtual packages for kde
  - From: Rob Browning <rlb@cs.utexas.edu>

Prev by Date: Re: Changelog files
Next by Date: Re: Changelog files
Previous by thread: Re: additional virtual packages for kde
Next by thread: Re: additional virtual packages for kde
Index(es):
- Date
- Thread