Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In addition to the main package repositories for your distro, you can add little repos that just have one or two packages in them. They get their own signing keys, so the author of a package that's not in the main repo can make their own little repo. It's a lot more convenient and a little more secure than downloading the package file from the dev's website.


How is that different from what deb-multimedia.org and virtualbox.org do with their apt repositories?


You can just run apt-add-repository <reponame>, and it will add the correct files to /etc/apt/sources.list.d/ and install the signing keys.


Not much, just that Ubuntu hosts the PPAs themselves, and it's much easier to add them than it is to add individual repos.


Isn't it the case that ubuntu compiles the packages themselves ?

This offers a measure of security agains malicious binaries ...


No, individuals can upload binary packages to PPAs.

Even if Launchpad builds the binary package, Ubuntu does not review packages' content.

The trust model for PPAs requires users to trust PPA owners, not Ubuntu.


But isn't the point of PPAs is that Ubuntu doesn't host them?


No, the point is that they are outside the normal repositories, which require testing by the Ubuntu developers, bureaucracy, etc




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: