I agree that this could be difficult for an individual open source dev
team to do (Although I bet the GRASS user/developer community would
catch, announce, and remove embedded malware very fast). I'm
suggesting this as something that the large OSGeo umbrella might look
into as a benefit to member projects. At least for malware, could this
potentially be done in a semi-automated way for packages on OSGeo
servers? Although malware can also get into upgrade sites for
commercial packages, it doesn't seem to happen very often and the
general perception is that these 'official' sites are clean.
Overall, my experience with major open source packages is that they
are at least as safe and unproblematic as commercial packages--and
sometimes considerably better. But the wording of our disclaimers,
while more realistic perhaps, can put off IT managers. For example,
the GRASS 6.3 windows package installer has been working fine for a
year, and 6.3 works fine with Windows XP. Yet this is still listed on
the GRASS site as the "GRASS Windows-Native Experimental Project".
There are always issues to fix, but this is far beyond "experimental".
We don't want to make unreasonable claims, but perhaps should think
more about how we word things so as to be less discouraging to
potential new users and IT managers.
Michael
On Feb 8, 2009, at 9:52 AM, Glynn Clements wrote:
Michael Barton wrote:
Along these lines, it might be worth thinking about a bit of a
different model for open source disclaimers. They generally say if
prominent type that 'hey, you're on your own with this; we're not
responsible for anything'. I wonder if we could have some kind of a
'certified malware free' sticker for things acquired from the
official
OSGeo site?
Who is going to perform that certification?
GRASS' dependency tree is pretty substantial, particularly when you
look at e.g. GDAL and ffmpeg. Is someone going to analyse all of those
dependencies? What if the OSGeo server subsequently gets compromised?
--
Glynn Clements <[email protected]>
_______________________________________________
grass-dev mailing list
[email protected]
http://lists.osgeo.org/mailman/listinfo/grass-dev
