Am 20.10.18 um 03:50 schrieb Chris Knadle: > Jonas Meurer: >> * Adding backports to my sources.list doesn't automatically pull any >> packages from there. I have to choose particular packages in a manual >> process in order to install them from backports. That's different for >> repositories like sury.org that provide packages under the release >> target (e.g. 'stretch'). >> If I add deb.sury.org to my sources.list, then installed packages with >> newer versions in this repo are automatically upgraded. This makes it >> much easier to abuse the repo, e.g. in order to spread malware. In >> other words, the attack vector is way larger. > > There's an available middle-ground, which is to add an additional repository > to > the sources.list file and add an apt Pin-Priority in /etc/apt/preferences.d/ > for > that repository (of say priority 150) such that any installed packages from > the > additional repository get updated, but any not-already-installed packages from > the additional repository aren't automatically used for upgrades. > > See 'man apt_preferences' for details.
Jep, you're right. I was talking about the default experience for users who don't know about advanced tricks. Cheers jonas
signature.asc
Description: OpenPGP digital signature
