On Fri, Feb 13, 2004 at 02:02:54PM -0800, Eric Paynter wrote: > Matt Garman said: > > This would serve a huge purpose for OSS: accountability, and and > > easy means to verify source code (who made it, where it came from, > > etc, etc). The intent is to help OSS "prove" that it is > > legitimate, to avoid SCO-like fiascos. > [...] > > But if such a system were fully automated, easy to > > use---ubiquitous---it would be easy to add the kind of > > accountability OSS needs to combat the naysayers (and anti-OSS > > FUD). > > CVS?
Yeah, that's kind of what I'm thinking about, but with a much more rigorous authentication/validation/verification system. Plus, on smaller projects, it may not be worth setting up CVS. Even with CVS, administrators might play loose with permissions, allowing easy corruption of the source. I know those are effectively user problems, which can never be avoided, but that's the point I was trying to make: that this system has security so deeply imbedded and integrated that laziness, carelessness, maliciousness and human error become non-issues. The ultimate goal is for the legitimacy of all open source software to never come into question. I think some of the infrastructure is already there. If all OSS projects used CVS, plus digitally-signed all code with public key encryption, then we'd have a nice collection of "verifyably authentic" code. The legitimacy of anything that is not digitally signed is uncertain. Unfortunately, it's easier said than done (and my thoughts are certainly over simplifications). If I won a bunch of money and could quit my job, I think it would be a fun concept to research and try to develop. It's fun to think about anyway :) Have a good weekend! Matt -- Matt Garman email at: http://raw-sewage.net/index.php?file=email -- [EMAIL PROTECTED] mailing list
