Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I wonder when will apt will start supporting specifying packages per repository. It's not safe how any package could come from any repository by-default, unless annoying effort is spent manually pinning packages.


If you install a package, that package can do arbitrarily bad things to your system; a repository you don't trust is never "safe".


Yes, but they may add other packages that break my machine by mistake later. If I know I want only one thing from them, I limit their capacity for later damages.


When talking about safety I rather meant in terms of stability. Some repos publish a lot of newer packages when I would only want one.


I can think of at least one vector. Suppose a particular library announces one generic repository as their approved distribution channel. Suppose the repo does not do any vetting on what gets uploaded. In this circumstance, you'd only want to pull that particular package from the repo, not any arbitrary package.

So I think the trust model bears scoping. It's not all or nothing.


Is there any apt repo software that permits multiple parties to upload to a repo but also enforces that people can't upload new versions of other people's packages?

As it happens, Debian itself kinda does this (Debian "maintainers" can only upload to specific package names), but I don't think anyone else runs that software. The usual third-party repo tools like reprepro and aptly don't support it, as far as I know. And sites like Launchpad or OBS just set up a separate apt repo per account (or even multiple apt repos per account), because doing that is very easy.

In other words - yes, the trust model you propose is coherent, but I don't think anyone actually does that, because there's a more straightforward option already.


Actually, both reprepro and aptly support this.


The apt trust model is overly simplistic but it is so hard to come up with a safe model that I don't see how it matters. And if a repository added for a specific package might be compromised then there might be a malicious version of that package already in the repo. Once you have to verify the versions and hashes by hand you may as well download the debs directly & use dpkg.


I don't trust any repository, but I still need to install packages to get things done.


What I do like is that, I think dnf, they do not switch your packages between repositories, even if you added a third-party repo with a higher version number.

But this is hard to do correctly for deb repositories. We first need to come up with a way to declare repository groups so you can say that e.g. the security repo can provide updates to the main repo.


Apt does support this with pinning. You can say a repo has negative priority by default and a normal priority for specific packages.


It's ... tough




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: