On 04/04/2018 16:38, Daniel P. Berrangé wrote:
>>> Actually I believe we should remove those links.  I don't think hosting
>>> QEMU binaries on mediafire is a good idea.
>>> Paolo
>> Why not?
> The source/quality of those binaries is completely opaque. We've no idea who
> built them, nor what build options were used, nor what/where the corresponding
> source is (required for GPL compliance), nor any checksum / signature to
> validate the binary isn't compromised since build, etc, etc.
> Pointing users to those binaries makes it appear QEMU project is blessing
> them, and so any issues with them directly reflect on QEMU's reputation.
> If we're going to link to binaries telling users to download them, we need
> to be hosting them on qemu.org and have a clearly documented formal process
> around building & distributing them.
> Since both Homebrew & Macports are providing formal bulds though, it looks
> simpler to just entirely delegate the problem to them, as we do for Linux
> where we delegate to distro vendors to build & distribute binaries.

Note that, to some extent, the same issues do apply to Win32 binaries
(in particular, they are distributed under http and there are no
signatures).  However, the situation is better in that they are hosted
on an identifiable person's website, and of course Windows doesn't have
something akin to Homebrew and Macports so there is no alternative to
volunteers building and hosting the binaries.


Reply via email to