[maemo-developers] Ask for removal of some packages from Extras Fremantle repository

From: Graham Cobb g+770 at cobb.uk.net
Date: Mon Mar 22 17:22:13 EET 2010
On Monday 22 March 2010 14:30:00 Matan Ziv-Av wrote:
> On Mon, 22 Mar 2010, Graham Cobb wrote:
> > I just don't see how using your own repository is actually any **better**
> > than just using extras-devel?
>
> There are a few problems with extras-devel:
>
> - There are way too many warnings all over the place (mailing list,
>    wiki, talk), so some users might be be reluctant to use this
>    repository.

This will be true even more so for private repositories.  If/when they become 
at all common, there will be warnings all over the place about not 
downloading things from private repositories.  The biggest problem with 
private repositories is that there are no guarantees that the binary being 
installed bears any relationship to the sources offered (if any), or how 
securely the maintainer manages the repository, so people will start to worry 
about security/viruses/trojans.  Plus a concern that "if this was legitimate, 
why wouldn't the developer use the community channels?".

Please note that I am certainly **not** suggesting that you, or Benoit, are at 
all unreliable or incapable of managing a secure repository, but that people 
will worry about the risks at least as much as they do about extras-devel.

> - Some of the warnings are true, so asking people to use this repositort
>    might expose them to unwanted updates.

Yes.  But using a private repository might expose them to updates where no one 
can even work out what happened when it breaks.

> - autobuilder is too limited - currently you can't compile packages that
>    depend on versions in PR1.1.

That is a short term problem which only affects a tiny number of packages.  It 
is not a reason for removing something from extras-devel.

If a similar problem occurs in the future and affects many packages, a 
solution will be implemented, just as it is being for PR1.2.

> - You can't easily remove a package from extras-devel. (Or maybe at all?
>    I asked for a package to be removed two weeks ago. It is still there).

Contact the debmaster (Jeremiah) by direct email.

> - Using extras-devel might lock packages, preventing users that install
>    packages from this repository to later update them from another
>    repository.

That is true.  Although the user just has to remove the package and re-install 
it, instead.

> That said, I prefer to have my packages available both in my repository
> and in extras-devel, when it is possible.

I also have private repositories, for my own testing and for other members of 
upstream projects (such as GPE) to do testing before I even push something 
into extras-devel.  But that is not the same as publishing that location for 
end-users.

Graham
More information about the maemo-developers mailing list