Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Etch

Kristian Hermansen wrote:
> Universe and multiverse are not enabled by
> default, but they are hosted by the Ubuntu repositories.  This means
> you can trust your source, for the most part.  With Red Hat/FC, I
> always needed to add repositories not hosted by the official FC repos,
> and that's very dangerous.

Well, it's not inherently dangerous.  It does require you to trust people
from different organizations though.

> You can't always trust those packages which have been built and offered
> by third parties.

That's true, but if you can establish trust with the third party, then you
can be just as confident as you are in "official" repos.

> In any event,
> default Ubuntu install still has your FC6 beat hands down on the quite
> incorrect "wc -l" test...
> # aptitude search ~n | wc -l
> 6265
No it doesn't.  From a couple emails ago:
Matthew Gillen wrote:
> Running that command on FC6 (with the Livna repo disabled so only the
> default-installed repos are counted) yields 6797 packages.

> Who's to say that your third-party repo will stick around for the life
> of your distro?

Fair enough.  But if the software is used by enough people, there's sure to
be a replacement soon.  Or there's already more than one third-party.

> insecure repositories.  Heh, maybe I should just setup my own Fedora
> repository and get tons of it's users to trust me, then one day, once
> I have 50,000 users, change the acroread package post install script
> to ping -f some servers.  You see, I would be wary of third-party
> repositories.  I learned that lesson a long time ago!

Getting that many users would require a lot of time and effort (users expect
high availability, quality packages, quick fixes when your updates break
things, etc).

Liken it to getting commit access to the Ubuntu (or BSD for that matter)
code repositories: you could do the same thing if you earned people's trust
by doing useful things for a long time.  The amount of effort to position
yourself that way would almost certainly outweigh however much money you
could make from the one chance you'd get to DOS someone.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /