dsc triad), by downloading from PyPi when creating the "binary" package (the. You didn't mention it, but you could integrate the dependencies only at build time, ie, in the source package (the. But that is proprietary, closed source software, so their security is none anyway. Yes, that would require fiddling with DEBIAN/postinst (or preinst) and issuing a wget (or, in your case, pip install), and that is the approach taken by Flash, Oracle Java, Steam and others. No concerned user would be happy with a package that, behind the scenes (and as root, remember!), downloads additional untrusted software from untrusted sources. It's an approach that completely bypass the repositories system. You wouldn't even be able to inspect the dependencies by extracting the deb, because they are downloaded and installed at install time. deb) is a serious security risk, definitely a no-no. It would defeat the purpose of a packaging system that handles dependencies, updates, versioning, etc.Äownloading non-debian packages on-the-fly when installing a binary (. Integrating dependencies in your package by copying their source files over as a single codebase is very frowned upon. I've spoken with some maintainers at the Debian IRC channel irc://#debian-mentors, asking for the exact same thing, and the general consensus was:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |