* Nicolas Williams <[EMAIL PROTECTED]> [2008-11-13 23:24]: > > So how does the reviewer make sure (with reasonable effort) that > > the submitter has not injected malicious code in the binary package > > he submitted? > > The reviewer can't really know that even if source is provided, not as > long as the reviewer accepts object code built by the submitter. > > I think you may want to argue that submitters should submit spec files > for building things and let trusted providers build the actual packages.
That is exactly what I was arguing for, it's what major Linux distros and the BSDs are doing. > In a way we'll be doing just that. First, we'll be our own submitters > of spec files. Second, we'll review and use spec files that exist > already or that others contribute. The main caveat is that if a spec > file includes patching of third party FOSS source then we'll need to > complete an OSR, whereas if we don't modify FOSS source then the process > is lighter-weight. > > That doesn't mean that we'll only accept spec files. We currently > intend to accept binary-only pkgs into the /contrib repo, and we intend > to tag them accordingly. Sounds good to me, if this is the plan then the proposal should reflect that. -- Guido Berhoerster _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
