Richard Freeman on 9 Dec 2009 16:19:44 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] trusting linux packages

On 12/09/2009 02:39 PM, Chad Waters wrote:
> Its a different scenario, but this is why I cringe when I see a
> sources.list with 10 random unofficial repositories.

Yup - it is a real tradeoff.  On Gentoo there has been talk about 
whether having more support for packages outside of the main repository 
would help distribute development, but in order for something like that 
to work you'd have to almost have some way of rating repositories in 
terms of quality and auditing them.

I'm not aware of any distros that have managed to have 
officially-sanctioned repositories not under the direct control of the 

Personally, while I might accept the odd package from an unusual source, 
I'm not going to give just anybody the ability to publish apps that are 
going to get automatically installed.

Google has actually been making several moves in this direction.  For 
example, their latest android SDK is not distributed as an installable 
package - instead they distribute what is essentially a package manager 
that installs it.  Since the android SDK doesn't have a free 
redistribution license distros can't package it up and maintain it 
within their own package management systems.  At best you can only 
install the SDK installer without mirroring it.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --