Re: PHP Support in Debian
- Date: Sat, 20 Oct 2018 19:28:29 +0200
- From: OndÅej SurÃ½ <ondrej@xxxxxxxx>
- Subject: Re: PHP Support in Debian
Well, either you want old stable or bleeding edge. And with web technologies it’s usually the bleeding edge type of people. It would take a full time job to create all the variants, and I do this mostly in my free time.
As for reproducible builds - that’s the next thing on my list, it seems that the patches got mixed up and the reproducible build patch got replaced with something else.
Ondřej Surý <ondrej@xxxxxxxx>
> On 20 Oct 2018, at 18:34, Jonas Meurer <jonas@xxxxxxxxxxxxxxx> wrote:
>> Am 20.10.18 um 03:50 schrieb Chris Knadle:
>> Jonas Meurer:
>>> * Adding backports to my sources.list doesn't automatically pull any
>>> packages from there. I have to choose particular packages in a manual
>>> process in order to install them from backports. That's different for
>>> repositories like sury.org that provide packages under the release
>>> target (e.g. 'stretch').
>>> If I add deb.sury.org to my sources.list, then installed packages with
>>> newer versions in this repo are automatically upgraded. This makes it
>>> much easier to abuse the repo, e.g. in order to spread malware. In
>>> other words, the attack vector is way larger.
>> There's an available middle-ground, which is to add an additional repository to
>> the sources.list file and add an apt Pin-Priority in /etc/apt/preferences.d/ for
>> that repository (of say priority 150) such that any installed packages from the
>> additional repository get updated, but any not-already-installed packages from
>> the additional repository aren't automatically used for upgrades.
>> See 'man apt_preferences' for details.
> Jep, you're right. I was talking about the default experience for users
> who don't know about advanced tricks.