Hi, On 31.01.2016 14:48, Geert Stappers wrote:
> Want I wish is an apt sources.list line like > deb http://nicelookingproject.com/debian version main pl:foo > will only install package foo from the nice looking project repository That might be better expressed as an attribute, similar to the arch limitation, or authentication overrides. > It is to make it possible that nice looking project can say: > We will only provide package foo and nothing else. I'm not entirely convinced that is useful, because the sanest way for a project to ship their own APT source these days is to have a package that provides a sources.list entry and the public key the repo needs to be signed with -- and then update both from within the repo itself. So this would have no real effect on security -- but a way to track package names to repositories and alert on changes would be a nice feature. This could be integrated into the priority system: when a package from a repo is explicitly installed, this repo then gets priority for this package, and all its dependencies, provided they are not yet bound to another repo, in which case the user is asked explicitly (which should keep interaction down to a minimum). I also think that we shouldn't encourage non-Debian repositories too much. It makes sense for fast-moving projects like Jenkins who refactor their entire codebase every three months, but I'd really prefer upstream authors to be involved in the long term support. Simon
signature.asc
Description: OpenPGP digital signature