Re: third-party packages adding apt sources
On 19/05/16 19:04, Ian Jackson wrote:
> Daniel Pocock writes ("third-party packages adding apt sources"):
>> b) many upstreams appear frustrated about getting their package
>> officially supported in Debian. Sometimes there is good reason their
>> package doesn't belong in Debian but sometimes it is more about inertia
>> in Debian or the upstream isn't aware about backports and thinks their
>> package will be stuck at a particular version forever
> Providing a proper Debian source package is also a lot more work than
> writing some kind of ad-hoc build system that spits out a .deb or
>> From a technical perspective, can we do more to prevent users being
>> surprised by packages putting new entries in /etc/apt/sources.list.d?
> IMO we should set up a registry of such organisations, and their
> cryptographic keys, and at least document promises made by the
> organisation about its behaviour with respect to various principles
> that we might care about.
> (For example, "this repo only contains packages which are dfsg-free
> and come with source code"; "this repo contains packages which do not
> themselves phone home"; ...)
>> From an organizational perspective, can we do more to make contact with
>> such upstreams and try to find ways to involve them in releasing their
>> packages through official channels? Is there any way we could gather
>> data about how many upstreams do this without compromising user privacy?
> Debian proper has a very high bar for inclusion. Obviously there are
> perhaps some packages which are close to suitable for inclusion, but
> the vast majority of things that aren't in Debian proper are outside
> it for real, nontrivial reasons (whether of technical quality of the
> binaries, technical quality of the source, or political/ethical
Do you think that if these upstreams became involved in other ways - for
example, if we proactively invited them to MiniDebConfs and other events
- we might bridge the gap to help them understand our way of thinking,
whether it is technical or otherwise?
Sure, some of them will never change, some of them have no capacity to
think long-term but there are others who simply don't quite understand
and may go the extra mile if they get to know us a little better.
> What we need to do is provide an easier and better way for unofficial
> repositories. That means an easy way for third party software
> providers to publish repositories which it is then easy for users to
> use, if the user chooses to do so.
> Importantly, we need:
> 1. A way for the user to get good, trustworthy (ie, coming in some
> sense from Debian), information about the repository. Including
> the identity of the organisation providing it; and some
> classification of Debian's opinion about the software in it.
> 2. A way for the user to reliably get the public keys on their system,
> that doesn't involve them clicking on a .deb on the public
Another thing comes to mind: making sure that even if the user
explicitly allows some other repository, they are protected from package
updates that come along and replace other things like apt itself, libc,
bash, gnupg, ...