[opensuse-buildservice] Re: How secure is openSUSE build service?
For Gentoo/FreeBSD/Debian/Ubuntu/ there aren't additional repositories necessary since these distributions maintain 14000-22000 packages themselves. openSUSE on the other hand forces you to use 3r party repositories to get basic functionality working (see http://opensuse-community.org/Restricted_Formats/10.3 ).
Not true. The same restricted formats are unavailable in Gentoo/FreeBSD/Debian/Ubuntu until you add 3rd party repositories, which were built and created by people that aren't part of that distribution's "offical team." You still have the same problem. If you're this paranoid about third-party packages you'd do best to buy a commercial distro such as SLED 10 and only update from its official update source. It seems anything built by the community-at-large would not be trusted by you... it would be nearly impossible to achieve the level of integrity that you're asking for, unless a company was involved that verified each package didn't do anything nasty (that's why I mention a commercial distro). Just doing an md5 sum of a package and signing it doesn't guarantee that the packager still isn't doing something evil in the package itself... you'd still have to trust the package maintainer at the end of the day. Just my .02 -- Eric http://nixwizard.net --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thu, 2007-11-01 at 06:01 +0000, Eric M. Gearhart wrote:
Not true. The same restricted formats are unavailable in Gentoo/FreeBSD/Debian/Ubuntu until you add 3rd party repositories, which were built and created by people that aren't part of that distribution's "offical team." You still have the same problem.
This really is non-sense. If you have used Gentoo/FreeBSD/Debian/ you should know better. I know for a fact that: Gentoo/FreeBSD doesn't require any third-party repositories to get restricted formats working. You can see it for yourself: http://gentoo-portage.com/ http://www.freebsd.org/ports/ Debian only doesn't offer dvd support, which you can get at ( http://www.debian-multimedia.org/ ). This site has been maintained for years now by Debian dev Christian and is therefor a trusted resource (just as packman and guru). I assume the same goes for Ubuntu.
If you're this paranoid about third-party packages you'd do best to buy a commercial distro such as SLED 10 and only update from its official update source. It seems anything built by the community-at-large would not be trusted by you... it would be nearly impossible to achieve the level of integrity that you're asking for, unless a company was involved that verified each package didn't do anything nasty (that's why I mention a commercial distro). Just doing an md5 sum of a package and signing it doesn't guarantee that the packager still isn't doing something evil in the package itself... you'd still have to trust the package maintainer at the end of the day.
Just my .02
How many package does SLED 10 / openSUSE offer (1000-3000)? Compare this to 14000-22000 packages the aforementioned distro's offer (without third-party repo's and with security fixes). You'll be missing a lot of functionality. It's like getting the keys to a beautiful sport car but you can't drive. -- Regards, Aniruddha Please adhere to the OpenSUSE_mailing_list_netiquette http://en.opensuse.org/OpenSUSE_mailing_list_netiquette --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thursday 01 November 2007 03:16:28 am Aniruddha wrote: ....
How many package does SLED 10 / openSUSE offer (1000-3000)? Compare this to 14000-22000 packages the aforementioned distro's offer (without third-party repo's and with security fixes). You'll be missing a lot of functionality. It's like getting the keys to a beautiful sport car but you can't drive.
Hi Aniruddha, how many of those 14-22 thousand are just different architectures. Recently Pascal (guru) analyzed openSUSE and counting all different versions of same software came to large numbers, comparable to above. I'll try to find mails, it must be in project mail list. -- Regards, Rajko. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thu, 2007-11-01 at 18:56 -0500, Rajko M. wrote:
On Thursday 01 November 2007 03:16:28 am Aniruddha wrote: ....
How many package does SLED 10 / openSUSE offer (1000-3000)? Compare this to 14000-22000 packages the aforementioned distro's offer (without third-party repo's and with security fixes). You'll be missing a lot of functionality. It's like getting the keys to a beautiful sport car but you can't drive.
Hi Aniruddha,
how many of those 14-22 thousand are just different architectures. Recently Pascal (guru) analyzed openSUSE and counting all different versions of same software came to large numbers, comparable to above.
I'll try to find mails, it must be in project mail list.
Good point :) Only these packages are all for the x86 architecture, it's incredible but true ;) -- Regards, Aniruddha Please adhere to the OpenSUSE_mailing_list_netiquette http://en.opensuse.org/OpenSUSE_mailing_list_netiquette --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Fri, 2007-11-02 at 01:05 +0100, Aniruddha wrote:
Hi Aniruddha,
how many of those 14-22 thousand are just different architectures. Recently Pascal (guru) analyzed openSUSE and counting all different versions of same software came to large numbers, comparable to above.
I'll try to find mails, it must be in project mail list.
Good point :) Only these packages are all for the x86 architecture, it's incredible but true ;)
You can see it for yourself: Last Update: 23:01:39 01 Nov 2007 Number of Categories: 151 Number of Packages: 11966 Number of Ebuilds: 25243 http://pebuilds.peschke.us/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thursday 01 November 2007 07:10:40 pm Aniruddha wrote:
On Fri, 2007-11-02 at 01:05 +0100, Aniruddha wrote:
Hi Aniruddha,
how many of those 14-22 thousand are just different architectures. Recently Pascal (guru) analyzed openSUSE and counting all different versions of same software came to large numbers, comparable to above.
I'll try to find mails, it must be in project mail list.
Good point :) Only these packages are all for the x86 architecture, it's incredible but true ;)
You can see it for yourself:
Last Update: 23:01:39 01 Nov 2007 Number of Categories: 151 Number of Packages: 11966 Number of Ebuilds: 25243
I see 16 architectures, not only x86 and each gives same number of Categories, Packages and Ebuilds, ie. that is summary for whole repository. -- Regards, Rajko. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thursday 01 November 2007 10:49:31 pm Rajko M. wrote: ...
I'll try to find mails, it must be in project mail list.
Good point :) Only these packages are all for the x86 architecture, it's incredible but true ;)
You can see it for yourself:
Last Update: 23:01:39 01 Nov 2007 Number of Categories: 151 Number of Packages: 11966 Number of Ebuilds: 25243
I see 16 architectures, not only x86 and each gives same number of Categories, Packages and Ebuilds, ie. that is summary for whole repository.
Finally found: http://lists.opensuse.org/opensuse-project/2007-09/msg00074.html -- Regards, Rajko. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thu, 2007-11-01 at 22:58 -0500, Rajko M. wrote:
You can see it for yourself:
Last Update: 23:01:39 01 Nov 2007 Number of Categories: 151 Number of Packages: 11966 Number of Ebuilds: 25243
I see 16 architectures, not only x86 and each gives same number of Categories, Packages and Ebuilds, ie. that is summary for whole repository.
There are 11966 each with different ebuilds for different versions, hence the ebuild count of 25243. You can verify that for yourself by checking the ebuilds (e.g. http://gentoo-portage.com/app-cdr/kiso ) Gentoo even hosts all mods for ut2004/2003: http://gentoo-portage.com/games-fps
Finally found: http://lists.opensuse.org/opensuse-project/2007-09/msg00074.html
Hey thanks! This has been a great read. I noticed a few things: -openSUSE core has far more packages than I thought (6412). This is roughly the same as PCLinuxOS offers. Only PCLinuxOS apparently offers a beter package selection since there is no need to look outside the standard repository. In other words I do think that an reevaluation of the core packages could greatly enhance openSUSE functionality. Why not put libxine on the openSUSE servers (not on the cd) and let user decide themselves if they are legally entitled in using it? There is nothing wrong with that. -However I do feel that the real problem is that Novell keeps acces to the core packages to themselves. I think it would be far better to setup a structure to attract developers from the community (we have enough quality packagers) and to let them maintain (maybe with the aid of Novell devs) the openSUSE core packages. Ideally this would blend the Packman repository with the openSUSE core packages. What is the best way to propose this to Novell? Is a bugreport the best way? Or maybe an e-mail? -- Regards, Aniruddha Please adhere to the OpenSUSE_mailing_list_netiquette http://en.opensuse.org/OpenSUSE_mailing_list_netiquette --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Friday 02 November 2007 06:08:36 am Aniruddha wrote: [...]
Why not put libxine on the openSUSE servers (not on the cd) and let user decide themselves if they are legally entitled in using it? There is nothing wrong with that.
In US even making it easy is not permitted. I remember case where company offered DVD decoding software letting users to decide, and lost the case. The other is more prominent example is Napster. Their defense was that users should know what is allowed and what not.
-However I do feel that the real problem is that Novell keeps acces to the core packages to themselves.
This is not the case as long as one has access to sources. It is possible to start own SVN with that sources and develop in any thinkable direction. The only limitation are registered trademarks and logos, but that is documented: http://en.opensuse.org/Debranding and it has a tool: http://en.opensuse.org/Rembrand
I think it would be far better to setup a structure to attract developers from the community (we have enough quality packagers) and to let them maintain (maybe with the aid of Novell devs) the openSUSE core packages. Ideally this would blend the Packman repository with the openSUSE core packages.
It will with growth of build service, and change in laws.
What is the best way to propose this to Novell? Is a bugreport the best way? Or maybe an e-mail?
You can do that in project mail list. They probably look for the sponsor. -- Regards, Rajko. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Fri, 2007-11-02 at 20:08 -0500, Rajko M. wrote:
On Friday 02 November 2007 06:08:36 am Aniruddha wrote: [...]
Why not put libxine on the openSUSE servers (not on the cd) and let user decide themselves if they are legally entitled in using it? There is nothing wrong with that.
In US even making it easy is not permitted. I remember case where company offered DVD decoding software letting users to decide, and lost the case. The other is more prominent example is Napster. Their defense was that users should know what is allowed and what not.
I don't get it. Why is it that Ubuntu/Debian/FreeBSD/Gentoo/PCLinuxOS can easily offer restricted formats from their own repositories? In what way is openSUSE different that it can't provide the same functionality?
-However I do feel that the real problem is that Novell keeps acces to the core packages to themselves.
This is not the case as long as one has access to sources. It is possible to start own SVN with that sources and develop in any thinkable direction. The only limitation are registered trademarks and logos, but that is documented: http://en.opensuse.org/Debranding and it has a tool: http://en.opensuse.org/Rembrand
I am more looking for synergy then forking ;)
I think it would be far better to setup a structure to attract developers from the community (we have enough quality packagers) and to let them maintain (maybe with the aid of Novell devs) the openSUSE core packages. Ideally this would blend the Packman repository with the openSUSE core packages.
It will with growth of build service, and change in laws.
What is the best way to propose this to Novell? Is a bugreport the best way? Or maybe an e-mail?
You can do that in project mail list. They probably look for the sponsor.
The opensuse-project list? -- Regards, Aniruddha Please adhere to the OpenSUSE_mailing_list_netiquette http://en.opensuse.org/OpenSUSE_mailing_list_netiquette --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Friday 02 November 2007 08:24:51 pm Aniruddha wrote:
On Fri, 2007-11-02 at 20:08 -0500, Rajko M. wrote:
On Friday 02 November 2007 06:08:36 am Aniruddha wrote: [...]
I don't get it. Why is it that Ubuntu/Debian/FreeBSD/Gentoo/PCLinuxOS can easily offer restricted formats from their own repositories? In what way is openSUSE different that it can't provide the same functionality?
BTW, this topic was beaten to death in all popular openSUSE mail lists. I think that most of regular visitors there have developed allergy and some kind soul provided article: http://en.opensuse.org/Restricted_Formats as a cure. When someone asks, we just point to the link. [...]
I am more looking for synergy then forking ;)
[...]
Packman repository with the openSUSE core packages.
This is how synergy can happen:
It will with growth of build service, and change in laws.
What is the best way to propose this to Novell? Is a bugreport the best way? Or maybe an e-mail?
You can do that in project mail list. They probably look for the sponsor.
The opensuse-project list?
http://lists.opensuse.org/ -- Regards, Rajko. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Fri, 2007-11-02 at 22:49 -0500, Rajko M. wrote:
On Friday 02 November 2007 08:24:51 pm Aniruddha wrote:
On Fri, 2007-11-02 at 20:08 -0500, Rajko M. wrote:
On Friday 02 November 2007 06:08:36 am Aniruddha wrote: [...]
I don't get it. Why is it that Ubuntu/Debian/FreeBSD/Gentoo/PCLinuxOS can easily offer restricted formats from their own repositories? In what way is openSUSE different that it can't provide the same functionality?
BTW, this topic was beaten to death in all popular openSUSE mail lists. I think that most of regular visitors there have developed allergy and some kind soul provided article: http://en.opensuse.org/Restricted_Formats as a cure. When someone asks, we just point to the link.
I know the link. Apparently according to this article it's not an legal but an ethical issue. Really believe me it is impossible to explain to a customer why his dvd / mp3's won't work. People have enough to get used to when going from Windows to Linux without dealing with arbitrary issues like these. To sum it up I am more a practical guy; drop the moral crusade against proprietary content and let people discover themselves the benefits of OSS. Acknowledging this is an age-old discussion with no end in sight I will stop here. Fortunately this really isn't a big issue thanks to the excellent YaST2 Product Creator ( http://news.opensuse.org/?p=478 ) :D
I am more looking for synergy then forking ;)
[...]
Packman repository with the openSUSE core packages.
This is how synergy can happen:
It will with growth of build service, and change in laws.
What is the best way to propose this to Novell? Is a bugreport the best way? Or maybe an e-mail?
You can do that in project mail list. They probably look for the sponsor.
The opensuse-project list?
Thanks. -- Regards, Aniruddha Please adhere to the OpenSUSE_mailing_list_netiquette http://en.opensuse.org/OpenSUSE_mailing_list_netiquette --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 03/11/2007, Aniruddha <mailing_list@orange.nl> wrote:
I know the link. Apparently according to this article it's not an legal but an ethical issue.
No, it's a legal issue as well. Using patent & copyright infringing things is never really an issue. Distribution of infringing software most certainly is an issue. Knowing distribution of something like xine mp3 support by an american company would be in violation of the mp3 patent, would make them liable. Furthermore the GPL does not grant permission to distribute software that is encumbered from distribution by patents unless you can extend the patent protection to all potential distributees, and their distributees etc. So it would be in violation of both patent licence making Novell liable to the patent holders, and potentially to the software authors. Similar problems exist for other software, e.g. the nvidia driver is non-gpl, yet is a derived work of the kernel which is GPL. Distribution the driver in a form linked against the kernel is in violation of the GPL, and violates the kernel developer's copyright. However, the GPL only applies restrictions to distribution, not to usage. And in almost all the world software patents are not an issue. So it's ok for users to use these restricted formats, but not OK for Novell to distribute them. -- Benjamin Weber --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Saturday 03 November 2007 10:33:10 wrote Benji Weber:
On 03/11/2007, Aniruddha <mailing_list@orange.nl> wrote:
I know the link. Apparently according to this article it's not an legal but an ethical issue.
No, it's a legal issue as well. Using patent & copyright infringing things is never really an issue. Distribution of infringing software most certainly is an issue.
Knowing distribution of something like xine mp3 support by an american company would be in violation of the mp3 patent, would make them liable. Furthermore the GPL does not grant permission to distribute
Just for correctness, mp3 patents are also valid in europe (it is not a software patent, the algorithm is patented, what works here as well). bye adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Aniruddha escribió:
To sum it up I am more a practical guy; drop the moral crusade against proprietary content and let people discover themselves the benefits of OSS.
You are preaching in the wrong church, there is no moral crusade here, companies have to **obey the law**, in this particular case. Novell cannot distribute software that is ilegal or covered by patents wherever it conducts business (that is, worldwide) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Friday 02 November 2007 12:08:36 wrote Aniruddha: ...
Finally found: http://lists.opensuse.org/opensuse-project/2007-09/msg00074.html
Hey thanks! This has been a great read. I noticed a few things:
-openSUSE core has far more packages than I thought (6412). This is roughly the same as PCLinuxOS offers. Only PCLinuxOS apparently offers a beter package selection since there is no need to look outside the standard repository.
In other words I do think that an reevaluation of the core packages could greatly enhance openSUSE functionality. Why not put libxine on the openSUSE servers (not on the cd) and let user decide themselves if they are legally entitled in using it? There is nothing wrong with that.
You mean a full enabled libxine ? This will not happen on a novell hosted server, because it would make us liable. (and this is not only true for us based servers, there are also example of lawsuites in europe against europe companies which lost their lawsuite when providing codecs in their products)
-However I do feel that the real problem is that Novell keeps acces to the core packages to themselves. I think it would be far better to setup a structure to attract developers from the community (we have enough quality packagers) and to let them maintain (maybe with the aid of Novell devs) the openSUSE core packages. Ideally this would blend the Packman repository with the openSUSE core packages.
What is the best way to propose this to Novell? Is a bugreport the best way? Or maybe an e-mail?
You can see in our roadmap that we plan to make it more easy to participate in the factory packages early next year. And hopefully also building the Factory distribution within the build service. However, this will not help to add packages like mplayer or full enabled xine to the distro. bye adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Aniruddha escribió:
How many package does SLED 10 / openSUSE offer (1000-3000)? Compare this to 14000-22000 packages the aforementioned distro's offer
Then start contributing your tiem and work creating more packages and stop this non-sensical threads .. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (6)
-
Adrian Schröter -
Aniruddha -
Benji Weber -
Cristian Rodríguez -
Eric M. Gearhart -
Rajko M.