Tuesday, 22 January 2008

Backports, and why you shouldn't just follow my directions

I got hooked on Bazaar (or bzr - which is the package name) shortly after I started working in Ubuntu. It's a great version control system written in Python, and I'll show a nice example of its use here soon. But that's not what this post is to be about.

Looking for bzr in the Etch repository, I found that a plain aptitude install bzr would provide me with version 0.11 of the software. Now, that is a lot of versions away from the current stable version, 1.1. So I decided I couldn't do without a newer version, and since I trust the package to work well and it doesn't provide any network services (so security risks are limited), I thought I might as well get the newest version from the developer site.

At that point I remembered backports. A quick look around the site told me bzr 1.0 for Etch was available from there. Now, there are a few advantages to using a back-ported deb package over a manual installation. One of them is the ease of installation (after adding backports.org to your trusted sources as explained here, the back-ported packages are available in your package manager), but in fact installing bzr by hand is also really simple: unpack the tarball in a suitable place and put a link to bzr in your path.

The real reason I opted for backports is that using the package manager makes the package management system aware of the presence of a version of bzr on your system. This gives you lots of benefits: you get warned when you try to install an incompatible package, when you install another version, or when you remove a package that bzr depends on.

Well then, I added backports to the trusted sources as described in the given link, and used aptitude to select the 1.0 version. You need to explicitly select the newer version, otherwise the system defaults to installing the official repository version (you can use pinning to alter this behaviour, but that's a topic I'll have to skip for now). I chose not to install the recommended packages bzrtools and python-paramiko (for sftp support), which you would also have to manually set to the right versions if you have a need for them. That's all!

Almost all. There's one essential remark I usually don't see in blog posts like this one: there is of course a reason why backports are not enabled by default on your Etch system. If, like many people, you've come to Debian for its reputation of good security, you need to realise that it is only as secure as you keep it. You are the only person who can assess the implications of adding a repository to your trusted sources, and it's not a decision to take too lightly. I trust backports as a source, and I trust bzr 1.0 to be stable enough to belong in an Etch system, but you shouldn't just jump off that cliff with me...

No comments: