M. Fioretti writes:
There's no technical reason why an rpm file cannot include the URL of any repositories that provide packages any needed dependencies, together with the repositories' keys.
I like the concept, but for some reason which I can't point out before sleeping I have the _feeling_ that there is some practical reason why this wouldn't work in real life. But maybe I'm just sleepy.
I've thought about this -- there is one situation where this model breaks down. This model depends on everyone using different package names. If two repos build a different package and use the same name for both of them, this model is going to break down.
It is necessary to have some measure of self-discipline here, and people need to keep within their own boundaries, and not stick their nose where it doesn't belong. But I do not believe that it is a big concern. People running third party repos right now already exhibit discipline. Everyone else depends on them, and basically gives them carte-blanche to install arbitrary software on their own machines. That's a lot of trust, and, over the past couple of years we didn't really have many instances of this trust being abused.