On 04.10.2018 01:19, Carl-Valentin Schmitt wrote: > It would be a possibility, for safety to create a new directory only for > brandy 3rd-party-software like skype, Google Chrome, Swift, and else > Software where huge companies are Sponsors. > > This would then mean, to create a second sources list for 3rd-party-links.
We don't need to add anything to dpkg/apt for that - there's a simpler solution: Automatically fetch those packages from the vendor and collect them into our own repo, but run a strict analysis before accepting anything. Rules could be strictly limiting to certain filename patterns, file modes (eg. forbid suid or limit to certain owners), no maintainer scripts, etc, etc. We could either filter out anything suspicious or reject the package completely (maybe even automatically filing upstream bugs :p). Yes, that would have to be customized per-package, but we're only talking about a hand full of packages, anyways. What's really important for me: don't add more complexity on the target apt/deb for these few cases, unless *absolutely* *necessary* By the way: we can put aside the whole Skype issue for the next few month, as it's completely broken and unusable anyways - for several month now. We could reconsider once the Upstream (Microsoft) manages get it at least running w/o segfaulting. --mtx -- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering i...@metux.net -- +49-151-27565287
