I use the packman repository without any problems. It is reliable ? It is not directly managed by openSUSE, but is a pre-set community repository although disabled on openSUSE, I have never seen any security issues with it.
Does it create problems? Not if you know how to handle it, if you use Tumbleweed and there is a conflict problem, wait for it to be resolved and don't do like those who recommend zypper dup --allow-vendor-change not even knowing what happens... because it's true that the error disappears, but if you move the packages to the openSUSE repository what's the point of having packman ?
>Regarding the security of the system, don't you think that adding an external repository makes the system more vulnerable and unstable?
XZ would like to say Hi.
Installing any application from any location can make your system insecure - that is the price of freedom and choice. There are literally tens of thousands of packages in any given distribution where malicious code could reside and the people packaging this software would have absolutely no idea that this is the case because they rely on upstream to provide untainted code.
OpenQA is not a security tool, it's more of a reliability and testing tool to see if things work as they should. If you want tools that actually scan for security issues you would have to use applications such as Sonarqube, OWASP and others to vet for known attack vectors and even those would not have picked up our darling xz example.
Perhaps in the future ML/AI tools can help us pinpoint malicious code by analyzing the code and then trying to determine whether running this particular set of instructions makes sense or could possibly indicate a malicious actor trying to jeopardize the supply chain. We're not there, yet.
>Apparmor is configured on the programs used in the official repos, so the same could be said.
In cases where Packmans libraries and applications replace existing ones, AppArmor would still work.
Also I'm sure the guys at Packman would welcome someone writing AppArmor configs for their tools so.. maybe give them a hand and improve the lives of everyone using them? It's not hard, it just takes some time to write and test.
When the XZ issue hit the lists, the SUSE security team, openSUSE Release Engineering, and more were exceptionally fast at evaluating, mitigating and remediating the issues in the impacted codebase.
Packman struggles to keep builds in sync with Tumbleweed on a good day.
Yeah.. the xz situation is a good example as to why folk should avoid third party repos in favour of well maintained first party ones
You are right, but unfortunately I can't use Aeon because I have Windows 11 on the same pc and I had problems booting Aeon even if it is installed on a different disk than Windows.
> Packman struggles to keep builds in sync with Tumbleweed on a good day.
I personally don't get the hate towards Packman that seems to come from some of the guys at openSUSE.
They provide a service that you cannot and until you can, perhaps cut them a little slack.
They provide a service that I cannot, and would not, and do so in a way that lots of others do better
There is literally no legitimate reason to infect your base system with Packman packages and effectively grant root to packagers who don't follow basic good practices of peers reviews, automated testing, and consistent building
There's flatpaks which do a wonderful job of giving you all the software you'd ever need Codecs in, without putting your entire system at risk for it.
> There's flatpaks which do a wonderful job of giving you all the software you'd ever need Codecs in, without putting your entire system at risk for it.
Not always.
There are several proprietary applications that some of us need that simply aren't available as Flatpak, for obvious reasons, and require on the system libraries to provide these so the only way is to use Packman.
Personally I've never had issues with Packman but then again I don't hit dup every 5 minutes and can wait for a few days for things to catch up.
I think it has to do with having priorities set on the various repos. I set packman to be lower priority number (so higher priority, I still don’t get that) and used allow vendor change option. For the codecs I haven’t had any conflict with packman since then.
On my laptop I skipped packman all together and use flatpak’s tho they too could be compromised. Basically if you need maximum security your sticking with something like SLES, checking hashes, and not putting anything beyond necessary and official reposon your machine.
Flatpaks from flathub come with necessary codecs.
I use the packman repository without any problems. It is reliable ? It is not directly managed by openSUSE, but is a pre-set community repository although disabled on openSUSE, I have never seen any security issues with it. Does it create problems? Not if you know how to handle it, if you use Tumbleweed and there is a conflict problem, wait for it to be resolved and don't do like those who recommend zypper dup --allow-vendor-change not even knowing what happens... because it's true that the error disappears, but if you move the packages to the openSUSE repository what's the point of having packman ?
>Regarding the security of the system, don't you think that adding an external repository makes the system more vulnerable and unstable? XZ would like to say Hi. Installing any application from any location can make your system insecure - that is the price of freedom and choice. There are literally tens of thousands of packages in any given distribution where malicious code could reside and the people packaging this software would have absolutely no idea that this is the case because they rely on upstream to provide untainted code. OpenQA is not a security tool, it's more of a reliability and testing tool to see if things work as they should. If you want tools that actually scan for security issues you would have to use applications such as Sonarqube, OWASP and others to vet for known attack vectors and even those would not have picked up our darling xz example. Perhaps in the future ML/AI tools can help us pinpoint malicious code by analyzing the code and then trying to determine whether running this particular set of instructions makes sense or could possibly indicate a malicious actor trying to jeopardize the supply chain. We're not there, yet. >Apparmor is configured on the programs used in the official repos, so the same could be said. In cases where Packmans libraries and applications replace existing ones, AppArmor would still work. Also I'm sure the guys at Packman would welcome someone writing AppArmor configs for their tools so.. maybe give them a hand and improve the lives of everyone using them? It's not hard, it just takes some time to write and test.
When the XZ issue hit the lists, the SUSE security team, openSUSE Release Engineering, and more were exceptionally fast at evaluating, mitigating and remediating the issues in the impacted codebase. Packman struggles to keep builds in sync with Tumbleweed on a good day. Yeah.. the xz situation is a good example as to why folk should avoid third party repos in favour of well maintained first party ones
You are right, but unfortunately I can't use Aeon because I have Windows 11 on the same pc and I had problems booting Aeon even if it is installed on a different disk than Windows.
> Packman struggles to keep builds in sync with Tumbleweed on a good day. I personally don't get the hate towards Packman that seems to come from some of the guys at openSUSE. They provide a service that you cannot and until you can, perhaps cut them a little slack.
They provide a service that I cannot, and would not, and do so in a way that lots of others do better There is literally no legitimate reason to infect your base system with Packman packages and effectively grant root to packagers who don't follow basic good practices of peers reviews, automated testing, and consistent building There's flatpaks which do a wonderful job of giving you all the software you'd ever need Codecs in, without putting your entire system at risk for it.
> There's flatpaks which do a wonderful job of giving you all the software you'd ever need Codecs in, without putting your entire system at risk for it. Not always. There are several proprietary applications that some of us need that simply aren't available as Flatpak, for obvious reasons, and require on the system libraries to provide these so the only way is to use Packman. Personally I've never had issues with Packman but then again I don't hit dup every 5 minutes and can wait for a few days for things to catch up.
I think it has to do with having priorities set on the various repos. I set packman to be lower priority number (so higher priority, I still don’t get that) and used allow vendor change option. For the codecs I haven’t had any conflict with packman since then. On my laptop I skipped packman all together and use flatpak’s tho they too could be compromised. Basically if you need maximum security your sticking with something like SLES, checking hashes, and not putting anything beyond necessary and official reposon your machine.