
New Debian project leader talks open source careers, PPAs and more - Enindu
http://www.linux.com/news/software/applications/829303-new-debian-project-leader-talks-open-source-careers-ppas-and-more
======
yarrel
PPAs are an antipattern.

One of Debian's (many) advantages vs. Ubuntu is that there isn't an ecosystem
of poorly maintained but easily found packages around the core.

Lending Debian's reputation to such an ecosystem will not improve Debians'
standing or user experience.

~~~
chimeracoder
> One of Debian's (many) advantages vs. Ubuntu is that there isn't an
> ecosystem of poorly maintained but easily found packages around the core.

Context: I'm a full-time Debian user.

I firmly believe that the future is not around packaging as we've been
conceiving of it for the last decade or so, but around packaging in the form
of containers[0]. As a Debian user, I'd be really happy to see Debian keep an
eye towards containerization as a a first-class citizen of the distribution,
the way apt(itude) and dpkg are now.

PPAs can either fit into this model or work against it, depending on how you
look at it. They can either enable the creation of containers by virtue of
being more flexible and more easily used inside container builds, or they can
serve as a crutch for low-quality packaging standards. So, I'd be excited for
PPAs in Debian, but I'd like to see them adopted as a tool to facilitate
first-class containerization in Debian, rather than the way they are used in
Ubuntu more as a place to hold unsupported or less-supported packages.

[0] Not necessarily Docker or even Docker-like containers, but containers
nonetheless.

~~~
dharma1
what do you think of [https://developer.ubuntu.com/en/snappy/tutorials/build-
snaps...](https://developer.ubuntu.com/en/snappy/tutorials/build-snaps/)

~~~
chris_wot
That's the tutorial - o you have a more detailed link?

~~~
dharma1
For an explanation of Snappy - or how to get/run/use it?

Here is a couple of links for the former

[http://thenewstack.io/snappy-ubuntu-a-new-cloud-os-with-
supp...](http://thenewstack.io/snappy-ubuntu-a-new-cloud-os-with-support-for-
docker-in-a-post-shellshock-era/)

[http://www.markshuttleworth.com/archives/1434](http://www.markshuttleworth.com/archives/1434)

------
radoslawc
From:
[https://help.ubuntu.com/community/PPA](https://help.ubuntu.com/community/PPA)
"Security

PPAs have not undergone the same process of validation as regular ubuntu
packages. End users install PPAs at their own risk. Although each key is
cryptographically signed, in order to confirm an uploader, keys are not
matched to specific individuals, except via their "launchpad" accounts.

Subsequently, installing a PPA should be considered to be a low-security
alternative as compared to the main repository, but marginally higher security
than simply installing software at random from the internet. As part of adding
a PPA, you trust the developer to not only install packages, but also to allow
them to provide ongoing updates."

This pretty much sums it all. It's not matter of hostility towards PPA or
trying to keep things oldskool. With all effort towards signed, verified
packages, reproductible builds etc. adding functionality like PPA is for me
nothing more as installing "shareware" windows apps from random sites.
Building packages by yourself is not that hard especially with fpm or
checkinstall.

~~~
ploxiln
You might gain some trust in a team which maintains a particular PPA. You
import their key manually, and the key is not auto-updated or anything.

Installing shareware windows apps from "random sites" seems riskier, they're
not signed by a single uploader's key which you import just once.

~~~
radoslawc
You're right. I've trolled a little. But still, this brings security issues
with it.

------
tcdent
Is employment via Open Source contribution really as widespread as he
suggests?

Any examples of (smaller than a distro) projects with known paid contributors?

~~~
EmanueleAina
Qt, LibreOffice, OpenStack, Linux itself, WebKit, GStreamer, Wayland just to
name a few have both paid and freetime contributions (often from the same
people too).

Neil works for Collabora, we contribute to quite a few projects in our paid
time. ;)

