website icon indicating copy to clipboard operation
website copied to clipboard

Published 20 hours ago verified publisher icon yarnpkg

Don't use apt-key, don't blindly trust yarn for everything

Open KwadroNaut opened this issue 7 years ago • 5 comments

A tightly administered system wouldn't trust yarns apt key for any package. Administrated should still do the pinning though. Background: https://bugs.debian.org/861695

KwadroNaut avatar Oct 04 '17 12:10 KwadroNaut

Deploy preview ready!

Built with commit 522a905ccf30acd9f2888f016489840bd02a7022

https://deploy-preview-670--yarnpkg.netlify.com

Haroenv avatar Oct 04 '17 12:10 Haroenv

I would even prefer a direct link to the .deb (or equivalent for other distros), what do you think?

xtuc avatar Oct 04 '17 12:10 xtuc

@xtuc super bad idea. If for whatever reason there needs to be an update to that package, people will not know they're out of date. Unless you have implemented a self updating package with TUF or something similar?

KwadroNaut avatar Oct 04 '17 13:10 KwadroNaut

Yes, you're right. Nevermind.

xtuc avatar Oct 04 '17 13:10 xtuc

Hey, this is pretty clever. Does it work on older versions of Ubuntu and Debian? There's still many people using Ubuntu 14.04, unfortunately.

Most places I've seen that add custom package sources do it the same way that Yarn does it today.

I would even prefer a direct link to the .deb (or equivalent for other distros), what do you think?

It's not documented, but https://yarnpkg.com/latest.deb works.

Daniel15 avatar Nov 27 '17 02:11 Daniel15