Richard Freeman on 10 Dec 2009 11:05:44 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] trusting linux packages

On 12/10/2009 08:01 AM, Art Alexion wrote:
> This presents a difficult dilema in *how* you establish that initial trust.

Yup.  For the ultra-paranoid many distros give you the ability to 
essentially define your own repository, so you can just add one 
particular package to it (snapshotted in time).  That is essentially no 
less safe than just doing a full manual install if you've audited that 
package.  The downside is that you don't get updates of any kind 
(security included), so be sure to subscribe to the appropriate lists. 
The advantage over a manual install is you get any package-manager 
features like easy uninstalls, dependency management, and protection 
from file collisions (maybe).

I imagine that most distros also let you prioritize repositories, so 
that when you get davmail from Joe Smith you don't also get his latest 
build of glibc.

However, if you want the Debian stable experience, then you're going to 
have to stick with whatever is in Debian stable.  NOBODY else I'm aware 
of provides anything like this otherwise.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --