On Thu, 2007-11-01 at 02:44 +0100, Filip Brcic wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Дана четвртак 01 новембар 2007, Aniruddha је написао(ла):
And you don't have to trust the packager, you trust the distribution and it's security policy. And don't forget packages passes many hands before ending up in the stable tree. In Debian/Ubuntu it goes from Experimental to Unstable to Testing to Stable. I can assure that when it arrives at Stable you can trust it for 100%. Gentoo/FreeBSD is the same, they have a very, very long testing period for new packages finally arrive in the stable tree.
Compare this to the openSUSE buildservice where everyone can get an account start a repo and wreck havoc because there aren't any safety precautions.
I agree completly. Still, I would leave the build service as it is (in the end, I can make Gentoo portage overlay if I have space on web to upload ebuilds to, and since the size of such an overlay would be somewhere between 1 and 2 MB at the most, everybody can get that much online space). What I would do is add some additional rules/constraints on how to add "home:*" repositories. The rest of the repositories should be considered as something like "experimental/unstable/~x86/..." but checked for malicious code (or at least for malicious packagers). But home:* are completely free and unchecked and therefore should be at least restricted from being shown by default on the software.opensuse.org/search query tool.
Great to see someone who understands my point of view.
Since everything in the build service is free software you can always check the source the packages are built from yourself if you wish, and so can anyone else, which provides as much as a safeguard as possible.
This can be doen for a few packages that you manually compile, however openSUSE relies so heavily on the buildservice for functionality that it becomes a daunting task to check all these packages yourself.
At this moment I am downloading 180+ packages from KDE:KDE4 repository. But I trust the KDE team and KDE:KDE4 packagers not to include malware in the source and in the packages. But, as I said, why should I trust the "home:darix" repository (if I don't know who darix is) or whoever's "home:whoever" repository by default?
I agree completely. For example I do trust the packman repository, but indeed there are so many unknown anonymous packagers from it's difficult to determine if they are genuine.