[Freedombox-pkg-team] Bug#962084: Adding buster-backport to apt sources on install seems wrong

[Joseph Nuthalapati]

This is also being discussed on a Debian Salsa issue. Cross-linking.
https://salsa.debian.org/freedombox-team/freedombox/-/issues/1855

On 03/06/20 1:05 pm, Christian Ehrhardt wrote:
> Package: plinth
> Version: 20.10
> severity: serious
> 
> Hi,
> running into issues today I realized that the new freedombox 20.10
> places this file on disk:
> $ cat /etc/apt/sources.list.d/freedombox2.list
>   # This file is managed by FreedomBox, do not edit.
>   # Allow carefully selected updates to 'freedombox' from backports.
>   deb http://deb.debian.org/debian buster-backports main
>   deb-src http://deb.debian.org/debian buster-backports main
> 
> IMHO a package should not on-install mess with apt sources. Users just
> don't expect this or the follow on consequences that can happen.
> For example you are pinning python packages from backports which I'd
> expect might lead to quite some dependency hell with other things installed.
> 
> I was facing this in Ubuntu where it is even more wrong and essentially
> breaking `apt update`, but IMHO it is even wrong if not outright
> forbidden by some policy in Debian. I mean adding 'buster-backports' and
> pinning to them in e.g. 'sid' - to me that sounds like calling for trouble.
> 
> I'd ask you to reconsider and remove this behavior. If you want/need to
> keep it then maybe at least consider adding a skip if `dpkg-vendor
> --derives-from Ubuntu` is true. Would that work better for you?
> 
> -- 
> Christian Ehrhardt
> Staff Engineer, Ubuntu Server
> Canonical Ltd

-- 
Regards,
Joseph Nuthalapati

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-pkg-team/attachments/20200603/fa109e8e/attachment.sig>