I can't speak to the caiman bug. As for the pkg(5) bug, the point, which may have been lost in the shuffle, is that until the depot supports fine grained authorizations, the recommended way to publish packages is to publish either to a fully protected host (over loopback, on a machine not on the internet, with IPF blocking the port, whatever) or to a file: URL which doesn't involve an open port at all. The resulting repository can then be moved to an appropriate location, and a read-only depot stood up on top of that.
This is the way that we've been managing pkg.opensolaris.org, and it's been quite successful, and is entirely safe. I agree that the documentation could make this process clearer and indicate that it's recommended. In addition, making the SMF service default to read-only makes sense in case an administrator starts up the service without having read the documentation. I believe Shawn has filed bugs for all of this, and is in the process of fixing them. I think that what was obvious to the pkg(5) team -- namely that safety is entirely achievable without fine grained authorizations, and how to achieve it -- was not obvious to you, and that disconnect was not recognized and communicated effectively. I hope that we've managed to do so now. If, given this information, our priorities still appear to you to be poor, you have the options of either contributing to the project, or talking to your service representative to make the case through official channels. Angry emails on public forums, as cathartic as they may be from time to time, are not helpful, particularly when the new folks in charge are still making up their minds whether open development is worth the cost. Danek _______________________________________________ caiman-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/caiman-discuss
