User story: I am an everyday user of libre software. I want to control which sources I download software from, so that I only install software from trusted sources (and don't unwittingly rely on external sources that I have not verified).
User story: I am a package maintainer for an FSDG distribution. I only provide packages that I can vouch for, so I do not want to provide packages that actively download software from external sources.
User story: I am an upstream developer, my packages relies on an external source and I have limited concern for the problem (I trust the source and expect others to do the same). I need a straightforward, high-level solution, so that I can write/review a patch that does not compromise the technical integrity of my package.
Typical problem scenario
The user is running PureOS and installs package foo from the PureOS repository:
sudo apt install foo
The foo package has its own installation function, which the user uses to install package bar:
foo install bar
However, bar is not downloaded from the PureOS repo, it is downloaded from https://example.com, a hardcoded external source.
The user is now relying on an external source that they have not verified, and that the PureOS package maintainers cannot vouch for.
- PureOS includes apt for package installation, and points only to the trusted PureOS repository. The user is free to add additional apt sources that they trust.
- When flatpak is first installed, you cannot install any flatpak packages. You need to add at least one source first.
Provide a reference document with a high-level design pattern that resolves this problem. We can then direct upstream developers to it and/or use it ourselves to implement fixes on upstream packages.