Hi, On Sun, Jan 31, 2016 at 02:48:52PM +0100, Geert Stappers wrote: > * consider non debian repositories trojan horses [There is a certain irony to read that in a mail signed by an expired key (not online as I can see now, but in the debian-keyring which is where I import from).] > Want I wish is an apt sources.list line like > deb http://nicelookingproject.com/debian version main pl:foo > will only install package foo from the nice looking project repository If at all, that would indeed be a []-option as that is backward compatible with older apt versions (and a proper field in deb822-style sources of course), but… > The idea behind the request/wish is to give users of our system > more control on how far they open a backdoor ... … that is the wrong reason for it. As soon as you have added a repository you have to trust that repository COMPLETELY. Limiting which packages to install from this repository is no protection at all as you can do everything in any package. Why should I go to the trouble of providing a bad 'apt' package, if I can just convince the user to add my repo to install 'awesome-game' which just rsyncs the entire machine to "the cloud" or adds a new user + ssh server or or or… What you could do with it is perhaps a shortcut for pinning, showing an additional message/require an additional confirmation, if a package is picked from that repository, or actually all of that in different features… Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature