More and more frequently I'm encountering systems where third-party repositories have been added into /etc/apt/sources.list or /etc/apt/sources.list.d, usually put there by some .deb package that a user installed from some third party site.
There are a few things going on here: a) the .deb format is convenient and respected so when a user sees a .deb file, they have the impression it is easy to install and potentially trustworthy b) many upstreams appear frustrated about getting their package officially supported in Debian. Sometimes there is good reason their package doesn't belong in Debian but sometimes it is more about inertia in Debian or the upstream isn't aware about backports and thinks their package will be stuck at a particular version forever From a technical perspective, can we do more to prevent users being surprised by packages putting new entries in /etc/apt/sources.list.d? From an organizational perspective, can we do more to make contact with such upstreams and try to find ways to involve them in releasing their packages through official channels? Is there any way we could gather data about how many upstreams do this without compromising user privacy?