Web lists-archives.com

Re: PHP Support in Debian

Am 17.10.18 um 12:00 schrieb Marco d'Itri:
> On Oct 17, Holger Levsen <holger@xxxxxxxxxxxxxx> wrote:
>> yes, but when using your repo one has to add your key to the keys apt
>> trusts, and this is something completly different than using proper
>> backports.
> Well... I trust much more Ondrej's archive since over the years it has 
> proven its quality and scope, while new packages are uploaded to 
> backports sometimes without much testing.

I agree that Odrej's packages (from deb.sury.org) have been of good
quality in the past and I'm a happy user of them myself for situations
where php7.1 or newer is needed on servers running Stretch.

Still I agree with Holger and would prefer packages from official Debian
infrastructure for two reasons:

* The packages (except for binary uploads) are known to be *built* on
  Debian infrastructure. In case of sury.org I have no doubts that
  Ondrej takes care of a good build environment. But for average users,
  being able to get packages from official Debian infrastructure gives
  them more confidence.

* Adding backports to my sources.list doesn't automatically pull any
  packages from there. I have to choose particular packages in a manual
  process in order to install them from backports. That's different for
  repositories like sury.org that provide packages under the release
  target (e.g. 'stretch').
  If I add deb.sury.org to my sources.list, then installed packages with
  newer versions in this repo are automatically upgraded. This makes it
  much easier to abuse the repo, e.g. in order to spread malware. In
  other words, the attack vector is way larger.


Attachment: signature.asc
Description: OpenPGP digital signature