![[BunsenLabs Logo]](/img/bl.svg)
You are not logged in.
- Topics: Active | Unanswered
#1 2017-04-21 03:59:02
- johnraff
- nullglob
- From: Nagoya, Japan
- Registered: 2015-09-09
- Posts: 12,661
- Website
The future for apt and dpkg
Just today I ran into this interesting page in the Debian Wiki on the general topic of making deb installation more secure:
UntrustedDebs
Along with spelling out just what nasty things can happen by installing from untrusted repositories (eg PPA's) it listed up a lot of suggestions on how things might be improved in the future.
Along with that, came:
DeclarativePackaging
Plenty of food for thought about how package diversions or Debian alternatives might be handled more cleanly. Of course none of this is going to show up in Stretch, or maybe not in the release after that, but package developers might want to be aware of this stuff.
...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )
Offline
#2 2017-04-21 12:01:11
- Horizon_Brave
- Operating System: Linux-Nettrix
- Registered: 2015-10-18
- Posts: 1,473
Re: The future for apt and dpkg
Hmm very interesting... Brings up the great (scary) point that as much as we love our stable and secure ma debian backbone, it's sort of a glass shield if the package handler tool will can reach out and suck in packages or libs that it didn't intend to. Like the article said it would require a crack of the keys of the repo...but I'm thinking worse and more complicated hacks have been done...so it wouldn't be too far fetched... Plus the idea that many add their own repos and ones from other distros, perhaps that are not as locked down as debs just asks for trouble...
Great article John
"I have not failed, I have found 10,000 ways that will not work" -Edison
Offline
#3 2017-04-21 15:12:13
- tynman
- Member
- Registered: 2015-10-13
- Posts: 93
Re: The future for apt and dpkg
I too found it interesting, although I am a noob about Linux/Debian packaging. While reading, I wondered if the article would mention Flatpak (it didn't), which has recently joined growing class of alternative Linux packaging approaches -- perhaps Flatpak wasn't well known (or didn't exist) at the time of writing.
Offline
#4 2017-04-22 12:32:21
- Head_on_a_Stick
- Member
- From: London
- Registered: 2015-09-29
- Posts: 9,093
- Website
Re: The future for apt and dpkg
Flatpak
Whilst flatpaks can be useful for certain corner-cases, I don't think they are the future of Linux packaging.
If you want a "click-to-install" bundle that contains all the libraries needed, use Windows instead.
The security model of Linux is predicated on the system libraries being shared across all programs, this allows them to be updated individually (for all programs) in the event of the vulnerability or serious error being discovered; flatpaks circumvent this completely and thus have the potential to seriously compromise the system.
See also https://bbs.archlinux.org/viewtopic.php?id=224999 (and the links therein).
Offline