[kwlug-disc] Going outside the repository (was: Re: More news on ownCloud)
Chris Frey
cdfrey at foursquare.net
Mon Nov 10 13:08:05 EST 2014
On Sat, Nov 08, 2014 at 11:05:13AM -0500, Khalid Baheyeldin wrote:
> This is why Debian repositories, as fantastic as they are, are not
> suitable for fast moving, complex projects, with lots of add-ons, and
> built in update mechanisms.
>
> I install everything from the repositories, but make exceptions where
> they make sense.
>
> Drupal is one such exception. Having it frozen in time in the
> repositories means you don't get security updates quickly enough. You
> are better off without debian repos here.
>
> Again, those are the exceptions, not the rule.
The main downside to going outside the Debian repositories is that
it often seems that package signing is suddenly an afterthought.
With Debian, I can do a system upgrade on an untrusted network with
relative comfort.
Package signing seems so fundamental to me, but often it is non-existent
when folks cook up their own package system. Even Gentoo went for years
without package signing in their emerge system. I had to skip the
rsync and download the nightly archives to get some semblance of
signing. I don't know if they even have it yet.
How does Drupal stack up?
Ruby, as one example, posts MD5 sums of their source tarballs on their
website. This is worse than useless, since 1) there is no PGP key to
check against, 2) MD5 has been cracked for years, and 3) it therefore
gives a false sense of security.
- Chris
More information about the kwlug-disc
mailing list