[Hamara-devel] discussion about decreasing packaging overhead in debian

[Vikas Tara]

On 19/11/15 12:40, Jonas Smedegaard wrote:
> Quoting Vikas Tara (2015-11-19 12:56:43)
>> On 19/11/15 11:32, Jonas Smedegaard wrote:
>>> Quoting Vikas Tara (2015-11-19 11:23:42)
>>>> We will be looking to make hamara-sugam as lean as possible and
>>>> encourage people to create apt repos on portable media to help each
>>>> other keep up to date.
>>> Custom APT repos has a high risk of spreading malware.
>> Am thinking of an apt repo that can be downloaded from us as a usb
>> image. It should be signed with our keys so that hamara installations
>> that update from such a medium, ought to complain if it's been
>> tampered with.
> Ah, so you don't wanna encourage folks to _create_ repos but instead to
> mirror _your_ repo.  Makes sense.
>
> How will you then handle security updates?
Periodically update the usb image - I think we can automate that pretty 
easily. Monthly drops maybe?
>
>
>>> A safer option is to use a proxy - I use approx when in bandwidth
>>> limited - or even completely offline - environments.
>> Yeah - works too - but might require the user to have greater
>> expertise?
> A proxy requires someone to set it up.  Just as a custom-composed signed
> repo requires someone to set it up.  That someone can be a skilled user,
> or a non-skilled user with distributor-provided user-friendly wrappers.
>
> I recommend proxy because it is generic, so if some (you?) created e.g.
> an LXDE GUI interface to flushing stale proxy data and injecting new
> packages from untrusted sources like USB sticks, then that work would
> instantly be usable globally, not unique to one distributor.
>
> You might also consider apt-offline - and its GUI apt-offline-gui.
Yeah - I like that idea!

Will give that some thought - and also look at apt-offline


Cheers



Vik