A recent incident has caught my attention, where a Ubuntu PPA owner decided to restrict access to his PPAs after some bad feelings he got from an interaction with a stingy company.
As many in the reddit thread commented, it is unwise to pull in dependencies from third-parties. You cannot always expect them to remain available, or always trust them. In fact, you probably shouldn’t trust them. Obviously, there is a wide spectrum of opinions on the topic. This isn’t a moral issue, but it is an important possibly business-continuity one.
Disclosures for my public repositories
I package some programs myself, for Fedora/CentOS and Devuan ceres. Of course they have dependencies, and a few even have some third-party dependencies. For some of my projects, I have actually taken the effort to package up their dependencies as well so my repositories are sufficient (with main distro repos of course) for the actual package I care about.
I made the decision on CentOS 6, because I don’t actually have any extant systems myself, that I will rely on third-party repositories for some key dependencies. I am uncertain this information is publicly viewable on the copr, and I do not wish to hide it. The copr front page shows that the various repos are “[Modified]” but they do not provide links to what additional repositories they depend on. And the EPEL8 dependencies are because there were no official repos hosting certain packages yet, but that should rectified over time.
- My own repo for a few things that couldn’t be built on copr because of weird dependency issues at the time: http://example.no-ip.biz/repo/rpm/ (redacted). Of course I trust this one, but should you?
Also, happy holidays or Merry Christmas or whatever holiday greetings you want. This post was originally published on December 22, 2019 so it’s the last one before Christmas.