Re: third-party packages adding apt sources

To: debian-project@lists.debian.org
Subject: Re: third-party packages adding apt sources
From: Bas Wijnen <wijnen@debian.org>
Date: Thu, 19 May 2016 17:45:05 +0000
Message-id: <[🔎] 20160519174505.GC2379@spark.dtdns.net>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <[🔎] 573DF495.5080002@pocock.pro>
References: <[🔎] 573DD944.3010208@pocock.pro> <[🔎] 22333.61955.191976.152117@chiark.greenend.org.uk> <[🔎] 573DF495.5080002@pocock.pro>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, May 19, 2016 at 07:15:01PM +0200, Daniel Pocock wrote:
> Another thing comes to mind: making sure that even if the user
> explicitly allows some other repository, they are protected from package
> updates that come along and replace other things like apt itself, libc,
> bash, gnupg, ...

I don't think we want to prevent that.  If they want to install a package that
does that, they can.  However, I think it is reasonable to warn them that they
should get ready for trouble when installing a package that isn't from Debian,
and especially if they install a new entry into sources.list from an external
source.

I don't see how to technically do such a thing though; the problem is that
these kind of upstreams often don't care about our (or their user's) systems
and will inject any code in their package that makes the warnings go away.

Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXPfugAAoJEJzRfVgHwHE61mcQAKQzjwht59J73zievxLTlqoz
QNMnmorJJb5vvx1PDwJzfqqL4rqRPu5/h9wiHjYhi+O3YM2J8W4phKxyMNIDYR1R
p+BA1CwSUuGX3/4je1QWaNpHa6IpgU9HxlUtrLNnjhJvtAuRR4PXfv15tPxsGgxi
AT5770XMSuCjNSehpC5nhp2l9HFiaRnaTa8tIENf6Bj1NrXrH/Em2/3CKbZiTkTf
S5C0IHWPTJyIYGqRALub+DiVvYd/d2ZNdFAwRW3/8nyJeBLwEkQ9BO8mNOdBHZWF
Fbvi0WJ5bBo1mcIVc9vO/4QvrFGPqxXYo8Sf+dI2O/NmzKdQ6XXwcy30HL8R/DhD
gZzhOJLnJFmUTpvqUAv1ywt9mfqNE4ed7/9ccN+4nTVHNSbxqJZyEimIi6x7dZop
dYZvdjoDgHRBFG7cBaGGH0Dqb+r0fSkP05Foxxy3ShITMzYQRPDzRPmxRxaU6ojB
Y5+GLQ3wlEMmiNsK34y1pQcJYKI5B7d+LYS1B/K5/Enkv7Z+4n8CX2AHtRMDmpHt
wQYKKaHjOktGZQonE1fF0vb4WE4otoidAyyN0jnlQDlq9aTp4OHDFcx5o8u6ppgG
LmKw7YTosFwzd37kHmH7icwvXiPHwIvHwR+9Vt/0wra/juD9Xktom2TtuA02MwIY
nPAD/aVlO95tD43+9EQP
=54DY
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: third-party packages adding apt sources
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- third-party packages adding apt sources
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: third-party packages adding apt sources
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: third-party packages adding apt sources
  - From: Daniel Pocock <daniel@pocock.pro>

Prev by Date: Re: third-party packages adding apt sources
Next by Date: Re: third-party packages adding apt sources
Previous by thread: Re: third-party packages adding apt sources
Next by thread: Re: third-party packages adding apt sources
Index(es):
- Date
- Thread