On Thu, 2007-11-01 at 09:25 +0000, Benji Weber wrote:
On 01/11/2007, Aniruddha mailing_list@orange.nl wrote:
Off course it it is doable (see Debian/Gentoo/FreeBSD/Ubuntu) who support up to 22000 packages. the only question is how ;)
Partly because they have a lot of people producing the packages, and if One were cynical One could suggest because they don't do so much security & quality checking compared to RH/SUSE etc whose businesses depend on it.
That would be very cynical since Debian and Gentoo have very high security standards on whom large companies (e.g. hyves.nl) place their trust: http://www.linux.com/feature/118799
http://www.gentoo.org/proj/en/hardened/
You are trusting the packagers from Gentoo/Ubuntu etc because they are associated with the project, not because you know that they are in fact doing their job properly. That is the point, you choose who you wish to trust. The valid problems here are
- There are not separate keys for each repository - this is on the
roadmap to be fixed by year end. http://en.opensuse.org/Build_Service/Roadmap
- There is no way to tie a packager's key to peer ratings/comments
etc. This will be easier to implement once the user database which stores identity & other information about users & packages is ready.
We can make it easier to make an informed decision about who One wishes to trust, but the choice about who to trust still has to be up to you.
I agree 100%. These two suggestions should make it a lot easier to determine whether a repo is trustworthy.
Making home: repositories harder to add doesn't solve any problem, and anyone can make use of the one click install mechanism for repositories that arn't even in the build service.
Maybe a better warning message instead of the the current 'malicious package' package warning could improve the situation.