Brad Rogers <b...@fineby.me.uk> wrote: > On Fri, 11 Oct 2024 07:37:03 +0000 > Michael Kjörling <c9bc136c6...@ewoof.net> wrote: > > Hello Michael, > > >That sounds like an even better argument for not pinning _everything_ > >coming from that repository at priority 1000. > > Maybe, but; > > As an experiment, I added the mozilla repo and updated. Everything > from their repos was listed as 'new'. Nothing was marked to be > upgraded. By extension, I would expect stable to behave in the same > manner.
I think the point is not about what actually happens now, but what might happen in future if some evil actor gets access to mozilla's repository and injects some malware into it. And thus the degree of trust that ought to be given to the repository and the degree of trust that it ought to ask for out of the box.
