On Tue, Sep 06, 2005 at 01:48:25PM +0200, Pascal Bleser wrote:
C'mon, it's the same on packman: someone sends an e-mail "hi I packaged this". Would you just take his RPM and put it in the packman repository as-is, without reviewing or testing it ?
What if the package was clearly marked as untested, submitted by an unknown, unrated, untrusted new user, and not available through automatic update, but only with explicit manual intervention? Would you still object? Trust is an issue. But keeping everything out and only letting trusted packages is only one possible solution, and one that creates the bottlenecks you can observe in other open projects. Another idea is transparency: make clear what level of trust a package has, what kinds of reviews were done, and make sure users know the risks when they download and install something. But allow everyone to use the build infrastructure and package distribution servers and host their packages there. What would we need for such a model to work? Sonja -- Sonja Krause-Harder (skh@suse.de) Research & Development SUSE Linux Products GmbH