[indiana-discuss] [sw-porters-discuss] [desktop-discuss] contrib and pending repo processes
Guido Berhoerster
guido+opensolaris.org at berhoerster.name
Tue Nov 18 14:27:41 PST 2008
* Shawn Walker <swalker at opensolaris.org> [2008-11-18 22:41]:
> Specifically, I sincerely doubt that every single contributed package is
> going to have every single line of source code checked to verify that
> something malicious wasn't introduced.
That might not be the case, but there is at least the possibility
to check it. And that is also an additional deterrent for
submitters not to include sloppy patches or outright malicious
content.
> I agree that it can reduce the risk, but it does not eliminate it.
We can agree on that. To bring back your Debian example, in
Debian it took two years to discover the OpenSSL debalce, with
the current proposed procedure for the /contrib repo such a case
might never be discoverd if someone submits a binary OpenSSL
package.
Now why realize this benefit and reduce this risk by make it a
requirement that packages of opensource software must be
submitted with build instructions or a build recipe and would the
be rebuilt before being moved from /pending into /contrib?
Non-OSS could still be submitted in binary form. What speaks
against that, why is there so much opposition against that?
Because of one time costs of setting up the infrastructure?
Because it might deter potential contributors? This is not clear
to me, it's not a new idea, but standard procedure for all major
Linux distros and the BSDs.
--
Guido Berhoerster
More information about the indiana-discuss
mailing list