Re: discuss debian 's attitude to ppa
Hi.
On Sat, 23 May 2015 09:28:55 +0200
Petter Adsen <petter@synth.no> wrote:
> On Sat, 23 May 2015 15:13:33 +0800
> mudongliang <mudongliangabcd@hotmail.com> wrote:
>
> > On 05/23/2015 02:37 PM, Dalios wrote:
> > > That said you can try to install the .deb package with other ways
> > > (for example using gdebi) but the main drawback (apart from any
> > > inconsistencies already mentioned) is that the package won't be
> > > updated with the rest of the system because apt/synaptic will not
> > > be able to do this.
> > At last , I want to talk about the future of ppa in Debian! Even the
> > leader has said the weakness of ppa! Maybe Debian will not use ppa!
> > Maybe LMDE is just a hint! Isn't it!?
> > mudongliang
>
> The major problem with using a ppa is that the software has not been
> vetted by the Debian project. It could contain malware or other
> security problems, and the maintainer of the ppa can suddenly decide to
> drop support of it, leaving you with a package that does not receive
> updates.
>
> You need to consider whether you trust the person running the ppa to
> not introduce weaknesses to your system. With the Debian repositories,
> there is a system in place to handle all of this. Adding a foreign
> repository _can_ make you vulnerable. You just don't know.
>
> There is also the matter of dependencies, if the repository you are
> using is not intended for your exact distribution.
>
> It's not a matter of not supporting ppas, it's a matter of not
> recommending them. You can always add the repository to sources.list
> and add the key manually.
I'd like to add something to your excellent points.
$ wget
http://ppa.launchpad.net/justzx2011/openyoudao-v0.4/ubuntu/pool/main/o/openyoudao/openyoudao_0.4-1_amd64.deb
...
$ lintian openyoudao_0.4-1_amd64.deb | wc -l
48
Whoever packaged this software did abysmally bad job. I doubt that this
package would be accepted in Debian archive in the current shape.
Reco
Reply to: