Shawn Walker wrote: > 2008/6/24 Chris Ridd <[EMAIL PROTECTED]>: >> On 19 Jun 2008, at 08:32, Venky wrote: >> >>> I find third-party contributors directly submitting binaries a scary >>> prospect. The best option, IMO, would be to have them submit >>> patches and build recipes (which are much more easily vetted) and >>> have the actual build carried out by the /contrib project. Going >>> the SFE way would seem to be the best option for this. >> Would requiring that all ELF binaries be signed (noting the recent >> elfsign thread) mitigate your concerns? Obviously they only tell you >> who provided the bad binaries in the first place, and it wouldn't help >> at all with dangerous scripts. >> >> Having a build recipe seems safer though. This would make the contrib >> repository a bit like the ports systems on other OSes (eg FreeBSD, >> MacPorts, Gentoo, etc.) > > As long as there is an audit trail, I think it is perfectly acceptable > to allow direct third-party contributions. > > Whether published packages should get "approved" by a contrib project > member before being available is another story. > > I do not believe that contrib project members should have to be > responsible for building everything (again).
Firstly, it generates transparency, nothing beats taking a quick look at http://www.freebsd.org/cgi/cvsweb.cgi/ports/ or http://pkgbuild.svn.sourceforge.net/viewvc/pkgbuild/spec-files-extra/trunk/ etc. how a package is built and with what patches. Secondly, it allows for easy customization by modifying a build recipe. > I don't believe such a model will scale very well. Look at the mentioned FreeBSD Ports (18700) or NetBSD Pkgsrc (7500), in fact it does scale very well. _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
