[kwlug-disc] Going outside the repository

B.S. bs27975 at yahoo.ca
Mon Nov 10 14:54:50 EST 2014 

Thus the Ubuntu PPA's which handle the signing, and so on. Let alone 
aptitude update/upgrade auto advise of new versions available. 
https://help.launchpad.net/Packaging/PPA

And since they do the hosting, your, or your organization's bandwidth is 
preserved.

Don't recall what, if anything, sourceforge is/n't doing - I think 
md5's, but I don't recall keys.


On 14-11-10 01:08 PM, Chris Frey wrote:
> On Sat, Nov 08, 2014 at 11:05:13AM -0500, Khalid Baheyeldin wrote:
>> This is why Debian repositories, as fantastic as they are, are not
>> suitable for fast moving, complex projects, with lots of add-ons, and
>> built in update mechanisms.
>>
>> I install everything from the repositories, but make exceptions where
>> they make sense.
>>
>> Drupal is one such exception. Having it frozen in time in the
>> repositories means you don't get security updates quickly enough. You
>> are better off without debian repos here.
>>
>> Again, those are the exceptions, not the rule.
>
> The main downside to going outside the Debian repositories is that
> it often seems that package signing is suddenly an afterthought.
>
> With Debian, I can do a system upgrade on an untrusted network with
> relative comfort.
>
> Package signing seems so fundamental to me, but often it is non-existent
> when folks cook up their own package system.  Even Gentoo went for years
> without package signing in their emerge system.  I had to skip the
> rsync and download the nightly archives to get some semblance of
> signing.  I don't know if they even have it yet.
>
> How does Drupal stack up?
>
> Ruby, as one example, posts MD5 sums of their source tarballs on their
> website.  This is worse than useless, since 1) there is no PGP key to
> check against, 2) MD5 has been cracked for years, and 3) it therefore
> gives a false sense of security.
>
> - Chris
>
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>

More information about the kwlug-disc mailing list