On Thu, Nov 13, 2008 at 11:52:10PM +0100, Guido Berhoerster wrote: > * Nicolas Williams <[EMAIL PROTECTED]> [2008-11-13 23:24]: > > > So how does the reviewer make sure (with reasonable effort) that > > > the submitter has not injected malicious code in the binary package > > > he submitted? > > > > The reviewer can't really know that even if source is provided, not as > > long as the reviewer accepts object code built by the submitter. > > > > I think you may want to argue that submitters should submit spec files > > for building things and let trusted providers build the actual packages. > > That is exactly what I was arguing for, it's what major Linux > distros and the BSDs are doing.
Right. Keep in mind that we're going to end up with several repos spanning the range of trustworthiness. > > In a way we'll be doing just that. First, we'll be our own submitters > > of spec files. Second, we'll review and use spec files that exist > > already or that others contribute. The main caveat is that if a spec > > file includes patching of third party FOSS source then we'll need to > > complete an OSR, whereas if we don't modify FOSS source then the process > > is lighter-weight. > > > > That doesn't mean that we'll only accept spec files. We currently > > intend to accept binary-only pkgs into the /contrib repo, and we intend > > to tag them accordingly. > > Sounds good to me, if this is the plan then the proposal should > reflect that. Which part of the proposal did not reflect that? Nico -- _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
