> On Sat, 31 Mar 2007 15:24:03 -0400 > Seemant Kulleen <[EMAIL PROTECTED]> wrote: > >> To make it more clear. If the gcc developers decided to stick some >> malicious code into gcc, it affects the entire linux community, the >> entire BSD community and would take out a few other communities as >> well. The effects are far reaching and shared by everyone. If an >> official package manager is outside of Gentoo's control, and the >> maintainer(s) of that piece of software decide to do anything >> malicious (examples: inject some dodgy code, remove documentation, >> take out access to the repository, etc) for whatever reason (say, >> they get pissed off at a few Gentoo people and decide that the entire >> Gentoo community can be painted that way), then > > ... Gentoo developers can take the latest release of said package > manager and continue development from that. That's the wonderful thing > about the GPL, no?
The fact that Gentoo can continue with the codebase is irrelevant. I think moreso the fact that a particular Package Manager would be the 'Gentoo Package Manager' means in my mind that Gentoo is responsible for said Package Manager. If someone were to slip evil code into said Package Manager and Gentoo released it; that would be bad. Note that with Portage, Gentoo could pull svn access for any individuals who commit such code. Gentoo have no gaurantee of that with an externally managed Manager as Gentoo has no control over the source repositories. If, by your comment above, Gentoo should maintain it's own branch of said package manager to insulate itself from issues such as the security issue defined above; well I think that may be one way to address the problem presented by Seemant. -Alec -- gentoo-dev@gentoo.org mailing list
