On Wed, Nov 25, 2009 at 01:12:47PM -0800, Darren Reed wrote: > I think that derailing this case is an over-reaction primarily because > it has been seen as an "attack" tool without properly considering what > the scope of its potential targets is.
I'd go further: excluding any software that does have utility because it can also be used maliciously is silly, very, very silly... EXCEPT in the case of software that excercises zero-day vulns for which there are no patches yet (though even then, a vuln that's gone unfixed for, say, years, is clearly one not to worry about too much). Even if you are inclined to disagree, if other distros have shipped the piece of FOSS in question, then that's evidence that at least in this case we're over- reacting. Of course, there may also be no good reason to include such software, though in this case I don't see it. More than anything what I see here is that our process for including FOSS in OpenSolaris is not yet optimized unless we mean to say something like "everything that isn't necessarily core goes in /contrib only (or until it becomes popular enough to merit being in /release)". I would recommend putting all not-really-core FOSS into /contrib first anyways. But is that to be an ARC policy? Nico --
