On Mon, Dec 07, 2020 at 02:26:01PM +0100, Hans-Christoph Steiner wrote: > Third party package repositories are a thing, like Ubuntu PPAs, aptly, > JFrog Debian Repositories, etc. Unfortunately, due to Debian Apt's > design, that means giving root access to each repository (package > pre-install/remove/etc scripts are run as root). So installing via > external repositories means the user need to consider whether they > trust those third party repositories with root access.
It isn't entirely unfortunate. Users, and especially system administrators, ought to be minimally trusting of external resources. The TCB must be kept small, or security is an illusion. Apt's design, IMO, encourages people to think twice - and ideally to stop themselves - before they install software. Especially software from outside Main, and *especially* software from outside Debian. Put differently: yes, third party package repositories are a thing. But they are mostly not a good thing, and they should probably not be encouraged. Far, far better for the OP to keep the focus on getting OpenRefine into Debian properly, rather than to consider expending time and resources on less beneficial outcomes. (BTW, Hans-Christoph, I think you were, above, trying to point out pitfalls of third party repositories; not trying to encourage their use. So, my email is not intended as a dig at you at all. I just wanted to point out that Apt's design is in many ways something to be glad about. I am grateful to the Apt developers and to responsible Debian packagers everywhere, and I would be happy for this gratitude to one day also extend to whoever ends up packaging OpenRefine for Debian.) -- A: When it messes up the order in which people normally read text. Q: When is top-posting a bad thing? () ASCII ribbon campaign. Please avoid HTML emails & proprietary /\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.
