[Hamara-devel] discussion about decreasing packaging overhead in debian

[Jonas Smedegaard]

Quoting Vikas Tara (2015-11-19 12:56:43)
> On 19/11/15 11:32, Jonas Smedegaard wrote:
>> Quoting Vikas Tara (2015-11-19 11:23:42)
>>> We will be looking to make hamara-sugam as lean as possible and 
>>> encourage people to create apt repos on portable media to help each 
>>> other keep up to date.
>> Custom APT repos has a high risk of spreading malware.
> Am thinking of an apt repo that can be downloaded from us as a usb 
> image. It should be signed with our keys so that hamara installations 
> that update from such a medium, ought to complain if it's been 
> tampered with.

Ah, so you don't wanna encourage folks to _create_ repos but instead to 
mirror _your_ repo.  Makes sense.

How will you then handle security updates?


>> A safer option is to use a proxy - I use approx when in bandwidth 
>> limited - or even completely offline - environments.
> Yeah - works too - but might require the user to have greater 
> expertise?

A proxy requires someone to set it up.  Just as a custom-composed signed 
repo requires someone to set it up.  That someone can be a skilled user, 
or a non-skilled user with distributor-provided user-friendly wrappers.

I recommend proxy because it is generic, so if some (you?) created e.g. 
an LXDE GUI interface to flushing stale proxy data and injecting new 
packages from untrusted sources like USB sticks, then that work would 
instantly be usable globally, not unique to one distributor.

You might also consider apt-offline - and its GUI apt-offline-gui.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.hamaralinux.org/pipermail/hamara-devel/attachments/20151119/17923d45/attachment.sig>