amosJun 19, 2023
Q: should I trust gitlab user morph027 to package Gitea for debian?
A: lol
Show threaddrawks

@fasterthanlime debian packages are rad, but every single deb package not in an actual debian release seems to treat the entire debian policy and maintainers' guide as "more of a suggestion that only applies to others".

So, my answer is always no...

Also, mad respect for @whack and fpm, but I've run into so many deb packages which are just really bad because its GSD ethos has little respect for the nuance of a well defined shared community standard.

Jun 19, 2023 at 3:48pmWeb
Show threadJordan SisselJun 19, 2023
@drawks @fasterthanlime packaging is way harder than it needs to be. YOLO: install the package!
Show threadamosJun 19, 2023
@whack @drawks i'm not even complaining about the quality of the package, tbh - just.. giving someone the power to pwn my server anytime they feel like it is... not on my bingo card for 2023.
Show threadJordan SisselJun 19, 2023
@fasterthanlime @drawks yeah the risk feels icky. I run some rando’s Docker image for my Ubiquiti wifi controller 🫠
Show threaddrawksJun 19, 2023

@whack @fasterthanlime packaging is easy except for agreeing on how to solve ambiguity, the debian policy removes ambiguity, packaging practices that don't follow the policy often mean that things end up stepping on the toes of other packages OR the packages just not behaving in an expected manner. Sometimes it isn't a practical problem but other times it becomes a huge headache.

1/2

Show threaddrawksJun 19, 2023

@whack @fasterthanlime the off the top of my head example would be the consul packages from hashicorp aggressively chown/chmod files under /etc/consul which can lead to secrets being made readable by users which shouldn't have read access. The package itself is built using nfpm in a GitHub action pipeline that contains install scripts which intend to be compatible with both redhat and debian based distros but violate the expectations/standards of both.

2/2

p.s. yes I know nfpm != fpm