On Thu, Nov 13, 2008 at 06:20:24PM +0100, Guido Berhoerster wrote: > * Shawn Walker <[EMAIL PROTECTED]> [2008-11-13 17:23]: > > John Sonnenschein wrote: > > > I'd just like to throw my thoughts in to the ring for this, but the > > genunix page lists "Binary only packages allowed" as a goal.. > > > > > > That is, in my opinion, a /TERRIBLE/ idea, and likely to get people > > in more trouble and reflect worse on (open)solaris than just simply not > > having the packages at all. Any sort of poor software, either through > > malice (trojans) or incompetence (running being heavily dependent on the > > builder's specific system setup) can be sneaked in with absolutely no > > oversight. > > > > That's assuming that the packages don't: > > > > 1) receive any vetting at all > > So how does the reviewer make sure (with reasonable effort) that > the submitter has not injected malicious code in the binary package > he submitted?
The reviewer can't really know that even if source is provided, not as long as the reviewer accepts object code built by the submitter. I think you may want to argue that submitters should submit spec files for building things and let trusted providers build the actual packages. In a way we'll be doing just that. First, we'll be our own submitters of spec files. Second, we'll review and use spec files that exist already or that others contribute. The main caveat is that if a spec file includes patching of third party FOSS source then we'll need to complete an OSR, whereas if we don't modify FOSS source then the process is lighter-weight. That doesn't mean that we'll only accept spec files. We currently intend to accept binary-only pkgs into the /contrib repo, and we intend to tag them accordingly. Nico -- _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
