Hi Ido, > If I might chime in, I am a bit worried about all the automatic installation > going on in galaxy, and it seems that the trend is to enhance this. > A small R or python script calling into well known libraries that come from > well known repositories (bioconductor etc… ) I can check. > (Of course I install too much stuff from github, bioconductor etc… without > checking).
Yes, these are huge security concerns and every admin is advised to check the code beforehand. In case of binaries its hard or not possible at al. That's one reason I want to discuss that issue. > > > > I'm not sure it is comparable to a entire Linux distribution, its more > > like an Appstore, like pypi, bioconductor or gems, and yes that is > > The app stores are checked by Apple or google for malicious code, the apps > are sandboxed. > There are many eyes for python, bioconductor packages and gems because much > more people interact with > them directly compared to galaxy-tools. Sure, the Galaxy Tool Shed is slowly getting there. The IUC (Intergalactic Utilities Commission) was founded in the end of 2012 and should be something like a reviewing instance for tools. > > Sorry maybe I was misleading. I only want a central storage for > > binaries/tarballs where the source can not be trusted for long term. > > 'long term' and 'trusted' needs to be defined in such a discussion here. > > I do not think we should copy python packages that are stored in pypi. > > We should make it easy as possible to install them in our repository. If > > you do not trust pypi, we can offer a mirror. Some goes for gems. > > Trusted for me means I trust the source not having dangerous code. I trust > pypi > more than some mirror, bioconductor base packages from more than some freshly > published package > that few people have used, tools from galaxy core developers more than from > tool-shed etc… > I know this is not the type of trust you were talking about. That is, its twofold. One to trust the source to not infiltrate the system or do any harm, the other part is to trust the availability of data. Both are important imho. Cheers, Bjoern > best, > ido ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/