> ... or I have to add a repo from some guy I don't know or trust.

The Debian PHP maintainer, Ondřej Surý, maintains his own repo:

* https://deb.sury.org

* https://packages.sury.org/php/README.txt

* https://qa.debian.org/developer.php?login=ondrej%40debian.or...

Okay, you've shot down my example, but that was not the point.

What is your point? That Debian doesn't churn versions of software very quickly? Some of us view that as a good thing.

What's the difference between a PPA and a repo from some guy you don't know or trust?

With a PPA you can't upload binaries, you upload sources that can be audited, and Canonical builds them.

I strongly suspect they don't audit the sources.

They're not saying that Canonical audits the sources. They're saying that because the person running the PPA uploads the source and Canonical's servers build the packages from there, as long as you trust Canonical you don't have to worry about the binary matching the source. For the majority of us who aren't qualified to audit the source itself directly, being able to trace the binary we're running to source that someone could audit is the best we can hope for.

Of course in the years since the PPA system was introduced we've seen a lot of projects push in to reproducible builds which somewhat negates that concern, but there are still a lot of us who would rather not go through that process for every random binary we want to run. Having a third party that we inherently trust because they built the rest of the operating system building the random packages we want has an appeal. Also for the devs/packagers free hosting by the OS vendor is nice too.

I still don't understand why folks don't just build things like PHP from source. On either my desktop or production servers building a package missing from APT has never been a problem (on either Debian or Ubuntu, but I strongly prefer Debian). Then you don't have to trust anyone... /shrug

And what's even worse, if you install Docker containers you don't build and manage yourself, you're pretty much right there again with "I don't know or trust" as your means of security.

Just to expand on the "build from source" bit, apt-get can not only download packages in source form but also build binary packages in literally one single command.

This makes the cases where you want the full Debian build but with a patch or just stepping the version easy. That's useful when you need to patch a package or can't wait for an upstream security fix.

Too often I see people building upstream packages "by hand" in those cases. The packaging tools are great and any Linux user is greatly helped by taking a few minutes and learning the basics of apt preference files, package selection and source packages.

Not a downvoter, but if you think that compiling from source means you don't have to trust anyone, then I encourage you to read a paper called "Reflections on Trusting Trust" by Ken Thompson.

It's a very famous computer science paper, pretty easy to read. Nothing niche or controversial. I'm sure you'll find it interesting.

The point is that you don't have to trust anyone outside the source given by the official project you are downloading.

The fact that you can't achieve the ideal does not mean we should claim defeat.

> The act of wasting time on trivial details while important matters are inadequately attended is sometimes known as bikeshedding.

Never heard that term before, but it does, in fact, seem to describe a lot of Canonical's issues in the past decade.

See "Why should I care what color the bikeshed is?" [0] for the reference, if you're interested (and/or "Law of triviality" [1]).

---

[0]: https://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/misc.h...

[1]: https://en.wikipedia.org/wiki/Law_of_triviality

Do you have an example of bikeshedding from a FLOSS mailing list?

PHK's e-mail from 20 years ago (included/linked above) is the canonical example.

I, personally, don't have any examples ready to provide you but I no longer subscribe to any "general discussion" lists.