-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 19, 2016 at 07:15:01PM +0200, Daniel Pocock wrote: > Another thing comes to mind: making sure that even if the user > explicitly allows some other repository, they are protected from package > updates that come along and replace other things like apt itself, libc, > bash, gnupg, ...
I don't think we want to prevent that. If they want to install a package that does that, they can. However, I think it is reasonable to warn them that they should get ready for trouble when installing a package that isn't from Debian, and especially if they install a new entry into sources.list from an external source. I don't see how to technically do such a thing though; the problem is that these kind of upstreams often don't care about our (or their user's) systems and will inject any code in their package that makes the warnings go away. Thanks, Bas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXPfugAAoJEJzRfVgHwHE61mcQAKQzjwht59J73zievxLTlqoz QNMnmorJJb5vvx1PDwJzfqqL4rqRPu5/h9wiHjYhi+O3YM2J8W4phKxyMNIDYR1R p+BA1CwSUuGX3/4je1QWaNpHa6IpgU9HxlUtrLNnjhJvtAuRR4PXfv15tPxsGgxi AT5770XMSuCjNSehpC5nhp2l9HFiaRnaTa8tIENf6Bj1NrXrH/Em2/3CKbZiTkTf S5C0IHWPTJyIYGqRALub+DiVvYd/d2ZNdFAwRW3/8nyJeBLwEkQ9BO8mNOdBHZWF Fbvi0WJ5bBo1mcIVc9vO/4QvrFGPqxXYo8Sf+dI2O/NmzKdQ6XXwcy30HL8R/DhD gZzhOJLnJFmUTpvqUAv1ywt9mfqNE4ed7/9ccN+4nTVHNSbxqJZyEimIi6x7dZop dYZvdjoDgHRBFG7cBaGGH0Dqb+r0fSkP05Foxxy3ShITMzYQRPDzRPmxRxaU6ojB Y5+GLQ3wlEMmiNsK34y1pQcJYKI5B7d+LYS1B/K5/Enkv7Z+4n8CX2AHtRMDmpHt wQYKKaHjOktGZQonE1fF0vb4WE4otoidAyyN0jnlQDlq9aTp4OHDFcx5o8u6ppgG LmKw7YTosFwzd37kHmH7icwvXiPHwIvHwR+9Vt/0wra/juD9Xktom2TtuA02MwIY nPAD/aVlO95tD43+9EQP =54DY -----END PGP SIGNATURE-----
