[kwlug-disc] Going outside the repository (was: Re: More news on ownCloud)
Khalid Baheyeldin
kb at 2bits.com
Mon Nov 10 13:28:08 EST 2014
On Mon, Nov 10, 2014 at 1:08 PM, Chris Frey <cdfrey at foursquare.net> wrote:
> On Sat, Nov 08, 2014 at 11:05:13AM -0500, Khalid Baheyeldin wrote:
>> This is why Debian repositories, as fantastic as they are, are not
>> suitable for fast moving, complex projects, with lots of add-ons, and
>> built in update mechanisms.
>>
>> I install everything from the repositories, but make exceptions where
>> they make sense.
>>
>> Drupal is one such exception. Having it frozen in time in the
>> repositories means you don't get security updates quickly enough. You
>> are better off without debian repos here.
>>
>> Again, those are the exceptions, not the rule.
>
> The main downside to going outside the Debian repositories is that
> it often seems that package signing is suddenly an afterthought.
>
> With Debian, I can do a system upgrade on an untrusted network with
> relative comfort.
>
> Package signing seems so fundamental to me, but often it is non-existent
> when folks cook up their own package system. Even Gentoo went for years
> without package signing in their emerge system. I had to skip the
> rsync and download the nightly archives to get some semblance of
> signing. I don't know if they even have it yet.
>
> How does Drupal stack up?
>
> Ruby, as one example, posts MD5 sums of their source tarballs on their
> website. This is worse than useless, since 1) there is no PGP key to
> check against, 2) MD5 has been cracked for years, and 3) it therefore
> gives a false sense of security.
Fair point ...
Drupal has a central repository that is generally trusted for the
major modules that are heavily used.
There are tools to download and install stuff.
drush dl mymodule
drush en mymodule
The concept of distributed repositories is not really used in Drupal.
There was at some point the features repository, but it did not catch
on.
There is no packaging per se. It is a .zip or .tgz file, with a .info
file that has the name of the module, version, and dependencies, and
not much else.
For anything other than the central repository: buyer beware ...
There is always talk on debianizing Drupal, but with drush doing most
of that, there seems to be just the signing part that is missing.
--
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple,
and wrong." -- H.L. Mencken
More information about the kwlug-disc
mailing list