On Fri, Oct 11, 2024 at 11:56:12AM +0100, debian-u...@howorth.org.uk wrote: > Brad Rogers <b...@fineby.me.uk> wrote: > > On Fri, 11 Oct 2024 07:37:03 +0000 > > Michael Kjörling <c9bc136c6...@ewoof.net> wrote: > > > > Hello Michael, > > > > >That sounds like an even better argument for not pinning _everything_ > > >coming from that repository at priority 1000. > > > > Maybe, but; > > > > As an experiment, I added the mozilla repo and updated. Everything > > from their repos was listed as 'new'. Nothing was marked to be > > upgraded. By extension, I would expect stable to behave in the same > > manner. > > I think the point is not about what actually happens now, but what > might happen in future if some evil actor gets access to mozilla's > repository and injects some malware into it. > > And thus the degree of trust that ought to be given to the repository > and the degree of trust that it ought to ask for out of the box.
Thing is, these days libc is not my most valuable asset. See xkcd 1200 [1]. Cheers [1] https://xkcd.com/1200/ >
signature.asc
Description: PGP signature
