[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: third-party packages adding apt sources

Daniel Pocock writes ("third-party packages adding apt sources"):
> b) many upstreams appear frustrated about getting their package
> officially supported in Debian.  Sometimes there is good reason their
> package doesn't belong in Debian but sometimes it is more about inertia
> in Debian or the upstream isn't aware about backports and thinks their
> package will be stuck at a particular version forever

Providing a proper Debian source package is also a lot more work than
writing some kind of ad-hoc build system that spits out a .deb or

> From a technical perspective, can we do more to prevent users being
> surprised by packages putting new entries in /etc/apt/sources.list.d?

IMO we should set up a registry of such organisations, and their
cryptographic keys, and at least document promises made by the
organisation about its behaviour with respect to various principles
that we might care about.

(For example, "this repo only contains packages which are dfsg-free
and come with source code"; "this repo contains packages which do not
themselves phone home"; ...)

> From an organizational perspective, can we do more to make contact with
> such upstreams and try to find ways to involve them in releasing their
> packages through official channels?  Is there any way we could gather
> data about how many upstreams do this without compromising user privacy?

Debian proper has a very high bar for inclusion.  Obviously there are
perhaps some packages which are close to suitable for inclusion, but
the vast majority of things that aren't in Debian proper are outside
it for real, nontrivial reasons (whether of technical quality of the
binaries, technical quality of the source, or political/ethical

What we need to do is provide an easier and better way for unofficial
repositories.  That means an easy way for third party software
providers to publish repositories which it is then easy for users to
use, if the user chooses to do so.

Importantly, we need:

1. A way for the user to get good, trustworthy (ie, coming in some
   sense from Debian), information about the repository.  Including
   the identity of the organisation providing it; and some
   classification of Debian's opinion about the software in it.

2. A way for the user to reliably get the public keys on their system,
   that doesn't involve them clicking on a .deb on the public

If we had such a thing, dealing with the admin of it would be a
nontrivial task.  It would have to be distributed.


Reply to: