Web lists-archives.com

Re: PHP Support in Debian

Jonas Meurer:
> Am 17.10.18 um 12:00 schrieb Marco d'Itri:
>> On Oct 17, Holger Levsen <holger@xxxxxxxxxxxxxx> wrote:
>>> yes, but when using your repo one has to add your key to the keys apt
>>> trusts, and this is something completly different than using proper
>>> backports.
>> Well... I trust much more Ondrej's archive since over the years it has 
>> proven its quality and scope, while new packages are uploaded to 
>> backports sometimes without much testing.
> I agree that Odrej's packages (from deb.sury.org) have been of good
> quality in the past and I'm a happy user of them myself for situations
> where php7.1 or newer is needed on servers running Stretch.
> Still I agree with Holger and would prefer packages from official Debian
> infrastructure for two reasons:
> * The packages (except for binary uploads) are known to be *built* on
>   Debian infrastructure. In case of sury.org I have no doubts that
>   Ondrej takes care of a good build environment. But for average users,
>   being able to get packages from official Debian infrastructure gives
>   them more confidence.

Reproducibility testing could probably be employed here in order to gain
confidence of the packages in an external repository.  (I see there's a
'reprotest' package that seems meant to help with this.)

> * Adding backports to my sources.list doesn't automatically pull any
>   packages from there. I have to choose particular packages in a manual
>   process in order to install them from backports. That's different for
>   repositories like sury.org that provide packages under the release
>   target (e.g. 'stretch').
>   If I add deb.sury.org to my sources.list, then installed packages with
>   newer versions in this repo are automatically upgraded. This makes it
>   much easier to abuse the repo, e.g. in order to spread malware. In
>   other words, the attack vector is way larger.

There's an available middle-ground, which is to add an additional repository to
the sources.list file and add an apt Pin-Priority in /etc/apt/preferences.d/ for
that repository (of say priority 150) such that any installed packages from the
additional repository get updated, but any not-already-installed packages from
the additional repository aren't automatically used for upgrades.

See 'man apt_preferences' for details.

  -- Chris

Chris Knadle

Attachment: signature.asc
Description: OpenPGP digital signature