John Sonnenschein wrote: > > On 13-Nov-08, at 1:59 PM, Nicolas Williams wrote: > >> On Thu, Nov 13, 2008 at 06:20:24PM +0100, Guido Berhoerster wrote: >>> * Shawn Walker <[EMAIL PROTECTED]> [2008-11-13 17:23]: >>>> John Sonnenschein wrote: >>>>> I'd just like to throw my thoughts in to the ring for this, but the >>>> genunix page lists "Binary only packages allowed" as a goal.. >>>>> >>>>> That is, in my opinion, a /TERRIBLE/ idea, and likely to get people >>>> in more trouble and reflect worse on (open)solaris than just simply not >>>> having the packages at all. Any sort of poor software, either through >>>> malice (trojans) or incompetence (running being heavily dependent on >>>> the >>>> builder's specific system setup) can be sneaked in with absolutely no >>>> oversight. >>>> >>>> That's assuming that the packages don't: >>>> >>>> 1) receive any vetting at all >>> >>> So how does the reviewer make sure (with reasonable effort) that >>> the submitter has not injected malicious code in the binary package >>> he submitted? >> >> The reviewer can't really know that even if source is provided, not as >> long as the reviewer accepts object code built by the submitter. >> >> I think you may want to argue that submitters should submit spec files >> for building things and let trusted providers build the actual packages. >> >> In a way we'll be doing just that. First, we'll be our own submitters >> of spec files. Second, we'll review and use spec files that exist >> already or that others contribute. The main caveat is that if a spec >> file includes patching of third party FOSS source then we'll need to >> complete an OSR, whereas if we don't modify FOSS source then the process >> is lighter-weight. >> >> That doesn't mean that we'll only accept spec files. We currently >> intend to accept binary-only pkgs into the /contrib repo, and we intend >> to tag them accordingly. > > > I still wholeheartedly maintain that binary-only packages ought to be > an exception to the rule and process should try to avoid it as much as > possible. > > That is, you ought to have a decent reason to be distributing > closed-only packages, and people who are trusted ( the people in charge > of contrib/ ) should be able to vouch for your trustworthiness. > > Letting some random user upload an unknown and untrusted binary is a > recipe for disaster
...and I want to be clear that I'm not arguing against that. That is a perfectly reasonable set of guidelines for many software packages. However, one size does not fit all, and that should also be recognized. Not every package should have to have a spec file; trusted members should be able to deliver to a staging server for review directly. -- Shawn Walker _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
