On Thursday 2024-10-17 19:10, bo0od via openSUSE Factory wrote:
- Can we have TLS/SSL added by default for Tumbleweed users? The reasoning is
Signatures on the packages ensure authenticity, whereas TLS gives you confidentiality of the download. Of course both are good to have.
explained here (using gpg only is unreliable): https://blog.packagecloud.io/attacks-against-gpg-signed-apt-repositories/.
"""GPG signing a Debian package does nothing because package signatures are not verified by default"""
Sounds more like an apt-specific problem.
- How easy is it to accept new packages? We have Whonix https://github.com/Whonix/ and Kicksecure https://github.com/kicksecure/. Can we just create a new user and start uploading directly, or is there a specific process we need to follow? Please provide details if necessary.
You can just upload. But I see no point in having e.g. https://github.com/Whonix/whonix-base-files in Tumbleweed. The package is described as """This package contains several important miscellaneous files, such as /etc/issue, /etc/motd, /etc/dpkg/origins/whonix, /etc/skel/.bashrc, /usr/bin/whonix, and others.""", and I can tell you, we already have /etc/motd, and we do not exercise dpkg. So whonix-base-files would be dead weight.
- Some packages have been observed to experience delays before reaching users from upstream, which can take more than 6 days (e.g., Firefox https://github.com/Kicksecure/security-misc/issues/138#issuecomment-21455894... and others https://www.kicksecure.com/wiki/Dev/openSUSE#Package_Concurrency). Is this normal, or was it just a one-off delay?
"""Conclusion: From 19 Dec 2023 until 01 Feb 2024, OpenSUSE Tumbleweed is late uploading the new QEMU version for more than 1 month. Nothing happened in all of January 2024."""
Check your investment. Furthermore, latest is not always greatest. Staying behind can be a conscious decision. It seems the guys at kicksecure.com have forgotten that a distro is not just a dull delivery mechanism, but a concerted effort to create a curated ensemble.
- Does Tumbleweed suffer from the metapackage problem https://www.whonix.org/wiki/Debian_Packages#Technical_Information similar to Debian?
Again, it's a conscious decision. The use of --no-recommends has consequences, in particular that programs get installed and then are not living up to user expectations.
- As far as I know, Tumbleweed signs both data and metadata, correct?
yes
- Does openSUSE have the same policy regarding Embedded Copies as Debian https://wiki.debian.org/EmbeddedCopies?
Generally, files downloaded elsewhere are stored as unmodified copies, for reasons of integrity checking.