third-party packages adding apt sources
More and more frequently I'm encountering systems where third-party
repositories have been added into /etc/apt/sources.list or
/etc/apt/sources.list.d, usually put there by some .deb package that a
user installed from some third party site.
There are a few things going on here:
a) the .deb format is convenient and respected so when a user sees a
.deb file, they have the impression it is easy to install and
potentially trustworthy
b) many upstreams appear frustrated about getting their package
officially supported in Debian. Sometimes there is good reason their
package doesn't belong in Debian but sometimes it is more about inertia
in Debian or the upstream isn't aware about backports and thinks their
package will be stuck at a particular version forever
From a technical perspective, can we do more to prevent users being
surprised by packages putting new entries in /etc/apt/sources.list.d?
From an organizational perspective, can we do more to make contact with
such upstreams and try to find ways to involve them in releasing their
packages through official channels? Is there any way we could gather
data about how many upstreams do this without compromising user privacy?
Reply to: