[indiana-discuss] [sw-porters-discuss] contrib and pending repo processes

[Guido Berhoerster]

* Nicolas Williams <Nicolas.Williams at sun.com> [2008-11-13 23:24]:
> > So how does the reviewer make sure (with reasonable effort) that
> > the submitter has not injected malicious code in the binary package
> > he submitted?
> 
> The reviewer can't really know that even if source is provided, not as
> long as the reviewer accepts object code built by the submitter.
> 
> I think you may want to argue that submitters should submit spec files
> for building things and let trusted providers build the actual packages.

That is exactly what I was arguing for, it's what major Linux
distros and the BSDs are doing.

> In a way we'll be doing just that.  First, we'll be our own submitters
> of spec files.  Second, we'll review and use spec files that exist
> already or that others contribute.  The main caveat is that if a spec
> file includes patching of third party FOSS source then we'll need to
> complete an OSR, whereas if we don't modify FOSS source then the process
> is lighter-weight.
> 
> That doesn't mean that we'll only accept spec files.  We currently
> intend to accept binary-only pkgs into the /contrib repo, and we intend
> to tag them accordingly.

Sounds good to me, if this is the plan then the proposal should
reflect that.

-- 
Guido Berhoerster