What is the advantage of PPAs over an apt repo that users place in /etc/apt/sources.list.d/someexternalapp? Is it having a central site that users can search for packages? Basically a social portal?
Having an automated per-user publishing pipeline for packages is a non trivial endeavour.
These days you can get close with github-actions style pieplines and releases, but the PPA system has always been a more complete platform in terms of dependency management.
You can get close with some debian tooling (im a fan of sbuild), but it's some overhead to deal with.
Universe packages are not supported by Ubuntu unless you activate Ubuntu Pro. Thus, if you install ffmpeg on Ubuntu without Pro, it will contain several active vulnerabilities. The full five years only applies packages in the main repo.
It's not the case for this example of ffmpeg (it's actually not patched), but make sure to check the actual changelog. Sometimes the version is kept, but the patches are backported, so a plain version comparison is not enough.
That is also absolutely unchanged compared to "since forever". Canonical supports "main", while "universe" and "multiverse" offer best-effort community support (aka from debian). They now additionally offer a dedicated team for those repos.
Honest question, since the arch wiki seems surprisingly spotty on this: Which arch repos are covered by their security team? Just core? Or also extra? More than that? AUR surely not, right?
Not even "from debian". Sometimes they can't be bothered to copy debian packages that fix security issues if the package is in universe, and just leave it vulnerable for the entire duration of the LTS.
I wanted to find another reason to not use Ubuntu for servers (besides Snap being forced on everyone) and this was it.
At least, in Debian, most of the packages I use on my server are from their main repos. Occasionally there are a few from other sources but by the time a new Debian patch is released, those other packages are also updated.
28 comments
[ 3.2 ms ] story [ 63.9 ms ] threadUbuntu Pro Shenanigans - https://news.ycombinator.com/item?id=38254040 - Nov 2023 (92 comments)
PPAs are built against Ubuntu packages as dependencies - which usually but not always match Debian ones. Easy way to get subtly broken programs
These days you can get close with github-actions style pieplines and releases, but the PPA system has always been a more complete platform in terms of dependency management.
You can get close with some debian tooling (im a fan of sbuild), but it's some overhead to deal with.
Also Debian is always much further behind than Ubuntu on new packages.
When I install an LTS version with a Universe package like ffmpeg, does everything continue getting security patches for the full five-year LTS life?
Or do I now need Ubuntu Pro to get the full five years?
I've been tempted to go back to Arch and I think this can be a good motivator.
Honest question, since the arch wiki seems surprisingly spotty on this: Which arch repos are covered by their security team? Just core? Or also extra? More than that? AUR surely not, right?
Happened to me.
https://ubuntu.com/security/esm
At least, in Debian, most of the packages I use on my server are from their main repos. Occasionally there are a few from other sources but by the time a new Debian patch is released, those other packages are also updated.
For servers, CentOS is reliable as fuck.
IBM isn't exactly the most trustworthy steward.
now we have 'rocky linux' taking the place of old downstream centos as 1:1 bug-for-bug rhel compatible (against ibm's wishes)
and 'almalinux' building a stable release on top of centos stream (ibm seems to be ok with)