So, in 2015 I wrote: > Hi, > > At $DAYJOB, I'm maintaining a few repositories with ready-to-install > packages for a number of distributions[1] > > Currently, the instructions[2] say to do the following: > - Download and install an "eid-archive" package, which contains the GPG > keys and generates a sources.list.d file for the repository; > - Run "apt-get update"; > - Install the "eid-mw" and/or "eid-viewer" packages. > > This works, but it has a number of downsides: > - The second step, "run apt-get update", is often overlooked; this seems > to be the case especially for users of Ubuntu, where the default > handler for installing packages is the "Software Center", a GUI > software management tool that doesn't have any UI element for doing > (the equivalent of) apt-get update > - There is no trust path from your already-installed distribution to the > "archive" package (yes, I did sign the gpg keys; no, I don't consider > that enough). > - It still requires users to manually install packages. > > I note that other third-party developers often provide a single debian > package that can be installed, where the binary package itself already > contains repository configuration that gets installed. This method > works for application software, but (as in my case) if the intent is to > provide a library that wants to support multiarch, this approach doesn't > work. > > There is add-apt-repository, which presumably works, but: > - It doesn't solve the "trust path" issue for third-party repositories, > (except, *maybe*, for PPA's, but that's Ubuntu, not Debian, so doesn't > solve my problem) > - It doesn't remove the "manually install" requirement > - I don't believe it solves the "user didn't do the apt-get update" > step, although I haven't checked in detail. > > Do we have anything better, or should I try to come up with something > myself? > > [1] specifically, https://files.eid.belgum.be/ > [2] http://eid.belgium.be/en/using_your_eid/installing_the_eid_software/linux/
This caused a bit of discussion at the time, but no real implementation. Until now. I spent some time earlier this week to write, as a proof-of-concept, <https://salsa.debian.org/extrepo-team>, which contains two repositories: - The first contains an "extrepo" package, that hasn't been uploaded yet (and will probably need some more work before that can happen) - The "extrepo-data" repository contains some YAML files that can be consumed by the first package. The idea would be that maintainers of third-party repositories (or other interested parties) can file a merge request to add metadata for their repository to the index file. When, after proper vetting of the repository in question, the MR is accepted, that metadata then gets slightly mangled and signed with a GPG key, then published on pages.debian.net (or somewhere else, if necessary). The software from the package downloads the metadata index and validates the GPG signature; and if everything checks out, adds configuration to /etc/apt/sources.list.d and /etc/apt/trusted.gpg.d to enable the repository. (I could also update the "add-apt-repository" program from the software-properties-common package, and I might do so if this turns out to be a success; but for a proof-of-concept that seems premature). Does this seem like a particularly bad idea to anyone? -- To the thief who stole my anti-depressants: I hope you're happy -- seen somewhere on the Internet on a photo of a billboard
