[Freedombox-pkg-team] Bug#962084: Adding buster-backport to apt sources on install seems wrong

Sunil Mohan Adapa sunil at medhas.org
Thu Jun 4 00:29:39 BST 2020 

On 03/06/20 12:35 am, Christian Ehrhardt wrote:
> Package: plinth
> Version: 20.10
> severity: serious
> 
> Hi,
> running into issues today I realized that the new freedombox 20.10
> places this file on disk:
> $ cat /etc/apt/sources.list.d/freedombox2.list
>   # This file is managed by FreedomBox, do not edit.
>   # Allow carefully selected updates to 'freedombox' from backports.
>   deb http://deb.debian.org/debian buster-backports main
>   deb-src http://deb.debian.org/debian buster-backports main
> 
> IMHO a package should not on-install mess with apt sources. Users just
> don't expect this or the follow on consequences that can happen.
> For example you are pinning python packages from backports which I'd
> expect might lead to quite some dependency hell with other things installed.
> 
> I was facing this in Ubuntu where it is even more wrong and essentially
> breaking `apt update`, but IMHO it is even wrong if not outright
> forbidden by some policy in Debian. I mean adding 'buster-backports' and
> pinning to them in e.g. 'sid' - to me that sounds like calling for trouble.
> 
> I'd ask you to reconsider and remove this behavior. If you want/need to
> keep it then maybe at least consider adding a skip if `dpkg-vendor
> --derives-from Ubuntu` is true. Would that work better for you?

Thank you for the bug report.

We are planning to restrict selection of backports to Debian. A fix
should be available soon[1]]. Pinning of packages should not effect
non-Debian distributions. Packages will be installed from Backports if
available and if only if they are higher version. In all other cases
they will be installed from other sources and pinned priorities won't
effect in any way.

Beyond that we are also planning to make the selection of backports an
explicit step in the user interface (restricted to Debian)[2].

Links:

1) https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/1824

2) https://salsa.debian.org/freedombox-team/freedombox/-/issues/1855

Thanks,

-- 
Sunil

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-pkg-team/attachments/20200603/81b9ee26/attachment.sig>

More information about the Freedombox-pkg-team mailing list