John Sonnenschein wrote: > > My point is essentially that unless the source code is built by a controlled > system there's no way to verify that it is what the source code pointer says > it is, so it ought to be treated as an exception to the rule, which means > that someone trusted ought to be the submitter (or trusted by proxy) and the > default shouldn't be to accept the package. If there's a good reason to have > a pure binary, there's a reason and it can be accepted assuming the trust is > there.
I agree to an automated build process to support this effort, and it so happens, I just reviewed such a process internally today that address this perfectly. But, it will take a little time to get it in place, and we need to move forward now, even if it is a little exposed and inefficient. That's why I included a procedure to update the processes. As far as trust is concerned, I would rather we start by trusting people. Geeks are some of the most trustworthy people on earth, and also some of the best at ferreting out the untrustworthy types via review. That said, if we change the /pending source code language to be the same as the /contrib language below, does it work? o The source code used to build the package must be referenced by url or included, unless explicitly approved by the community by TWO "+1" votes and NO "-1" votes after TWO non-weekend days Cheers, Jim -- Jim Walker, http://blogs.sun.com/jwalker Sun Microsystems, Software, Solaris QE x77744, 500 Eldorado Blvd, Broomfield CO 80021 _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
