Re: third-party packages adding apt sources

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Bas Wijnen writes ("Re: third-party packages adding apt sources"):
> On Thu, May 19, 2016 at 07:15:01PM +0200, Daniel Pocock wrote:
> > Another thing comes to mind: making sure that even if the user
> > explicitly allows some other repository, they are protected from package
> > updates that come along and replace other things like apt itself, libc,
> > bash, gnupg, ...
> 
> I don't think we want to prevent that.  If they want to install a
> package that does that, they can.  However, I think it is reasonable
> to warn them that they should get ready for trouble when installing
> a package that isn't from Debian, and especially if they install a
> new entry into sources.list from an external source.
> 
> I don't see how to technically do such a thing though; the problem is that
> these kind of upstreams often don't care about our (or their user's) systems
> and will inject any code in their package that makes the warnings go away.

If we provided a better, more official, way, that gave the relevant
software provider some kind of semi-approval, then we could probably
persuade the upstreams to start using it.

But I agree that playing core wars against the third party repo
packages is a really really bad idea.  It won't work.  It's a recipe
for craziness.  And it's unethical because it also amounts to playing
core wars against our users - who have, after all, probably decided
that this is what they want.

Ian.