Wednesday, August 28, 2019

repository - Unofficial/Local repositories and how do they differ from PPAs in Launchpad



I normally tend to use the PPAs (Personal Package Archives) found in launchpad.net, but I have noticed more and more that some repositories are being created in other places or a website that manages packages in a similar fashion like launchpad.



So my questions are:




  • What is an official repository and an unofficial one (Local Repository), including the ones created outside of Launchpad.



  • How do repositories created outside of Launchpad compare to the ones found inside of it in terms of first, security, followed by any other features that both offer.


  • How do official software repositories differ from the ones created by 3rd party PPAs in Launchpad or outside of it.




If you boil this back to the simplest terms:




What is an official repository and an unofficial one (Local Repository), including the ones created outside of Launchpad.





An official repository is one published as part of Ubuntu, managed by Canonical and Ubuntu MOTUs.



They currently consist of main, restricted, universe, multiverse, partner, extras and some exist in multiple "states" (-proposed, -updates, -backports, etc).



The repo names might change in time but the point is that these are .



On mirrors: The contents (MD5 hashes of files, etc) of the repository are signed with the Ubuntu key so even if you're pulling the official files from a non-official mirror, you can be fairly certain that they are the original files.








How do repositories created outside of Launchpad compare to the ones found inside of it in terms of first, security, followed by any other features that both offer.




You can't implicitly compare security levels between a Launchpad PPA and another non-official repo hosted elsewhere. It all boils down to how much you trust the person running the repo.



The difference is with a Launchpad PPA, you can see the person who is packaging things. Most times you can see the source. In other repos (eg: dl.google.com or repo.steampowered.com) you likely know neither.



Trust is an odd thing.




Feature-wise a repo is just a particular structure of directories and files, hosted on the web. The only special features I've ever seen are authentication to allow only people who have purchased software to download it but this very basic web server security and hardly special :)







How do official software repositories differ from the ones created by 3rd party PPAs in Launchpad or outside of it.




This is perhaps the biggest of the questions and it's probably best answered (if indirectly) by another question: How to get my software into Ubuntu?




Official repo software is supposed to have a development process behind it. Levels of testing that ensure quality and an amount of peer review. PPA maintainers can encourage this sort of process but it's not something you can assume. Some are better than others.


No comments:

Post a Comment

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...