Author Topic: How do you setup a online repo?  (Read 950 times)

0 Members and 1 Guest are viewing this topic.

Offline Mortem Bonum

  • Neuling
  • *
  • Posts: 39
  • I'm new. Be nice!
  • Branch: Stable
  • Desktop: XFCE
  • GPU Card: NVIDIA GeForce GTX 960
  • GPU driver: Non-Free
  • Kernel: Linux-4.5
  • Skill: Intermediate
Re: How do you setup a online repo?
« Reply #15 on: 22. March 2016, 20:33:44 »
You can create a custom repo online but if your intentios is redistribuite the iso ask yourself who will trust your online repo  :P

If I make all the packages in the repo require a signature to download it then it wouldn't be a problem would it? I mean I really don't want people think that anything in my repo is malicious.

Offline jonathon

  • Core Team
  • *****
  • Posts: 2104
  • Technologist - Teacher - Tea drinker
  • Branch: Unstable
  • Desktop: MATE 1.14
  • GPU Card: Nvidia GTX680M
  • GPU driver: Bumblebee nvidia+intel
  • Kernel: 4.6.0-*-MANJARO x86_64
  • Skill: Advanced
Re: How do you setup a online repo?
« Reply #16 on: 22. March 2016, 23:18:02 »
You're creating a custom spin which requires users to trust packages built by the maintainer.

If you can't work this stuff out there's no reason users should trust what you're doing won't mess up their systems.

There's a barrier to entry for a reason. You must be "so" tall to ride.

Easy answer: don't distribute random crap AUR packages. There's a reason they've not been adopted by an Arch maintainer.


(Edit: re-reading and this is very short and sharp - I should probably stop writing responses when I don't have time to flesh them out)
« Last Edit: 23. March 2016, 15:02:40 by jonathon »
--
MSI GT70: Core i7-3630QM, 16GB, Nvidia GTX680M, Intel 2230, Manjaro-MATE-amd64-EFI
Lenovo X230: Core i5-3320M, 4GB, Intel HD4000, Intel 6205, Manjaro-MATE-amd64
Dell Studio 1749: Core i5 540, 8GB, ATi HD5650, Intel WLAN, Manjaro-Xfce-amd64
Let's go in the garden; you'll find something waiting.

Offline Mortem Bonum

  • Neuling
  • *
  • Posts: 39
  • I'm new. Be nice!
  • Branch: Stable
  • Desktop: XFCE
  • GPU Card: NVIDIA GeForce GTX 960
  • GPU driver: Non-Free
  • Kernel: Linux-4.5
  • Skill: Intermediate
Re: How do you setup a online repo?
« Reply #17 on: 23. March 2016, 13:29:10 »
You're creating a custom spin which requires users to trust packages built by the maintainer.

If you can't work this stuff out there's no reason users should trust what you're doing won't mess up their systems.

There's a barrier to entry for a reason. You must be "so" tall to ride.

Easy answer: don't distribute random crap AUR packages. There's a reason they've not been adopted by an Arch maintainer.

I have to admit that you have some interesting points there Jonathon.I already considered signing the packages to make sure that the user knows that they aren't malicious but maybe I should consider researching more into what AUR packages I include.I mean any random person can submit AUR packages so I better take a hands on approach and verify everything with ncamp to make sure that the PKGBUILD's don't do anything particularly stupid.

Offline c00ter

  • Held Mitglied
  • *****
  • Posts: 1534
  • Towelie's cupcake
  • Branch: ☮Olive☮
  • Desktop: Depends©
  • GPU Card: Intel HD4400M CPU: Core i7-4510U
  • GPU driver: Intel/Free
  • Kernel: 4.4-lts & 4.5
  • Skill: Novice
Re: How do you setup a online repo?
« Reply #18 on: 23. March 2016, 17:23:59 »
I have to admit that you have some interesting points there Jonathon.I already considered signing the packages to make sure that the user knows that they aren't malicious but maybe I should consider researching more into what AUR packages I include.I mean any random person can submit AUR packages so I better take a hands on approach and verify everything with ncamp to make sure that the PKGBUILD's don't do anything particularly stupid.

There's more to it than that, as Jonathon points out.

Antergos adds its own custom repo to Arch in their spin. There's some pretty crappy stuff in it--I won't run it for that reason--and Antergos is mainstream, as far as Arch-based distros go. As an Archer, if I don't like their crap, why should I trust your crap?

Regards
P.S. Don't want to piss off any Antergians--its just my opinion.
“What, me worry?” ― Alfred E. Newman

Manjaro Wiki: https://wiki.manjaro.org/
Arch Wiki: https://wiki.archlinux.org/
Pacman Rosetta: https://wiki.archlinux.org/index.php/Pacman/Rosetta

Offline Strit

  • Maintainer
  • ***
  • Posts: 746
  • Manjaro Torrent Maintainer
    • Strits.dk
  • Branch: Stable
  • Desktop: XFCE
  • GPU Card: GTX 760 OC
  • GPU driver: Non-free nvidia 361
  • Kernel: 4.4.8-1-MANJARO
  • Skill: Intermediate
Re: How do you setup a online repo?
« Reply #19 on: 29. March 2016, 08:33:21 »
By setting up a custom online repo to use with your Manjaro spin, you are asking the users to trust you no matter what.
Sure, if you sign the packages with a .sig file they can see that the packages are from you, but how would they know what the package does?
The only way, you can really trust a packager, is by getting the PKGBUILD, review it and build it yourself.

How is this different for the Manjaro repo's?
Well, the Manjaro team has signed each others keys, so they vouch for each other. So if a package is packaged by a manjaro developer, the rest of the developers have trusted that developer. And rest assured, if a trusted package does something it'st not suppose to, that packager WILL be held accountable for it.
This is harder to do with a custom repo with "random" packages. Because only you have signed, only you know what the package actually does and only you have the power to change what that package does. Sure people can uninstall the package, but they need to find out it's installed to begin with and they need to rectify what it has done already, if it did something they do not like.

I have a custom repo myself, where I have some AUR packages and some custom packages, that I use in my Manjaro spin, so I am basicly asking the users of that spin (if there are any) to blindly trust me.
Desktop PC: Manjaro XFCE 15.12 (stable, kernel 4.4)
Private Laptop: Manjaro Strit 16.03 (unstable, kernel 4.6)
Work Laptop: Manjaro Strit 16.03 (stable, kernel 4.4)
Netbook: Arch Linux XFCE/LXqt (i686, kernel 4.0)