Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] Re: How secure is openSUSE build service?
  • From: Aniruddha <mailing_list@xxxxxxxxx>
  • Date: Thu, 01 Nov 2007 09:01:27 +0100
  • Message-id: <1193904087.3576.106.camel@xxxxxxxxxxxx>

On Wed, 2007-10-31 at 22:11 -0400, Patrick Shanahan wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* Aniruddha <mailing_list@xxxxxxxxx> [10-31-07 20:31]:
[...]
For Gentoo/FreeBSD/Debian/Ubuntu/ there aren't additional repositories
necessary since these distributions maintain 14000-22000 packages
themselves. openSUSE on the other hand forces you to use 3r party
repositories to get basic functionality working (see
http://opensuse-community.org/Restricted_Formats/10.3 ).

But you are not 'forced' to use anything. Basic functionality is
provided.

And you don't have to trust the packager, you trust the distribution and
it's security policy. And don't forget packages passes many hands before
ending up in the stable tree. In Debian/Ubuntu it goes from Experimental
to Unstable to Testing to Stable. I can assure that when it arrives at
Stable you can trust it for 100%. Gentoo/FreeBSD is the same, they have
a very, very long testing period for new packages finally arrive in the
stable tree.

Compare this to the openSUSE buildservice where everyone can get an
account start a repo and wreck havoc because there aren't any safety
precautions.


"Something" must be *terribly* wrong somewhere as no "problems" I am
aware have been made public.

That is no argument. Right now apparently openSUSE has a big gaping
security hole which can be exploited in the future. And who should make
us aware of "problems" when none checks the repos' anyways?

I understand your concern, you have NO trust of anyone. I believe
there is a word for that, but....

Trust is no replacement of good security policies.

btw, you have made *many* posts recently critical of the openSUSE
distribution and the way that things are done. Is there *anything*
you find *right* about openSUSE distributions? Because, if you cannot
find anything *right*, one wonders why you remain!

Despite being off topic I will address your argument. I regard openSUSE
as one of the finest distributions on the market. I plan on actively
supporting it through my company. However before doing so I must be
absolute certain of same aspects of which a regular user might care
less.

The fact that I ask questions or even criticize some aspect is because I
love to see openSUSE evolve into something even better. That's why I
offered to start a Dutch mailing list, help on the Dutch wiki and file
extensive bugreports for problems I encounter.


--
Regards,

Aniruddha

Please adhere to the OpenSUSE_mailing_list_netiquette
http://en.opensuse.org/OpenSUSE_mailing_list_netiquette


---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups