John Sonnenschein wrote: > > On 13-Nov-08, at 2:23 PM, Shawn Walker wrote: > >> John Sonnenschein wrote: >>> On 13-Nov-08, at 1:59 PM, Nicolas Williams wrote: >>>> On Thu, Nov 13, 2008 at 06:20:24PM +0100, Guido Berhoerster wrote: >>>>> * Shawn Walker <[EMAIL PROTECTED]> [2008-11-13 17:23]: >>>>>> John Sonnenschein wrote: >>>>>>> I'd just like to throw my thoughts in to the ring for this, but the >>>>>> genunix page lists "Binary only packages allowed" as a goal.. >>>>>>> >>>>>>> That is, in my opinion, a /TERRIBLE/ idea, and likely to get people >>>>>> in more trouble and reflect worse on (open)solaris than just >>>>>> simply not >>>>>> having the packages at all. Any sort of poor software, either through >>>>>> malice (trojans) or incompetence (running being heavily dependent >>>>>> on the >>>>>> builder's specific system setup) can be sneaked in with absolutely no >>>>>> oversight. >>>>>> >>>>>> That's assuming that the packages don't: >>>>>> >>>>>> 1) receive any vetting at all >>>>> >>>>> So how does the reviewer make sure (with reasonable effort) that >>>>> the submitter has not injected malicious code in the binary package >>>>> he submitted? >>>> >>>> The reviewer can't really know that even if source is provided, not as >>>> long as the reviewer accepts object code built by the submitter. >>>> >>>> I think you may want to argue that submitters should submit spec files >>>> for building things and let trusted providers build the actual >>>> packages. >>>> >>>> In a way we'll be doing just that. First, we'll be our own submitters >>>> of spec files. Second, we'll review and use spec files that exist >>>> already or that others contribute. The main caveat is that if a spec >>>> file includes patching of third party FOSS source then we'll need to >>>> complete an OSR, whereas if we don't modify FOSS source then the >>>> process >>>> is lighter-weight. >>>> >>>> That doesn't mean that we'll only accept spec files. We currently >>>> intend to accept binary-only pkgs into the /contrib repo, and we intend >>>> to tag them accordingly. >>> I still wholeheartedly maintain that binary-only packages ought to >>> be an exception to the rule and process should try to avoid it as >>> much as possible. >>> That is, you ought to have a decent reason to be distributing >>> closed-only packages, and people who are trusted ( the people in >>> charge of contrib/ ) should be able to vouch for your trustworthiness. >>> Letting some random user upload an unknown and untrusted binary is a >>> recipe for disaster >> >> ...and I want to be clear that I'm not arguing against that. That is >> a perfectly reasonable set of guidelines for many software packages. >> >> However, one size does not fit all, and that should also be recognized. >> >> Not every package should have to have a spec file; trusted members >> should be able to deliver to a staging server for review directly. > > Exactly! > > I'm not arguing that the process must fit everything always, just that > the process ought to streamline the stuff that does fit in to the mold ( > if you can build a .spec file, it shouldn't require human intervention > ), but if you are a special case ( weird build instructions, binary only > ) a little bit more oversight is necessary
Then Huzzah!; we're in agreement. -- Shawn Walker _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
