2008/6/24 Venky <[EMAIL PROTECTED]>: >> You can still have transparency without making so that one group of >> people has to rebuild everything. > > How?
By simply having a policy that says you have to provide necessary materials? >> > Secondly, it allows for easy customization by modifying a build recipe. >> >> Again, you don't have to operating things that way to achieve the same >> results. > > Again, how? How does a published binary-only package allow someone > apart from the publisher to modify the build recipe? Because the build materials can be provided? >> And in some cases, no source code may be available. > > A build recipe would still be useful in this case since we would > need to do stuff like unpacking the binary package and republishing > it to a pkg repository. The important thing to remember is that *a* package is better than *no package*. Sometimes users won't have a good build recipe. Those packages shouldn't be excluded from availability simply because there is not an easily-reproduceable build recipe. > Also, there is the question of responsibility. If a backdoor is > discovered in a binary package of Apache, the Apache project is not > responsible, it is the distributor of the package -- in this case, > OpenSolaris. (I guess some small-print will absolve the project of > direct legal responsibility, however.) Yes, but again, that's where policy comes in. As the recent debian problem with OpenSSL shows, just because you have a fully-repeatable build recipe and source does not guarantee that a security problem won't be introduced. >> >> I don't believe such a model will scale very well. >> > >> > Look at the mentioned FreeBSD Ports (18700) or NetBSD Pkgsrc (7500), in >> > fact >> > it does scale very well. >> >> Sorry, but I just don't agree. > > You don't agree that the FreeBSD ports model scales?! I'm not speaking about FreeBSD's model. I'm just saying that whatever model we adopt, is not scalable in my view if it requires a human being to intervene and rebuild something that has already been provided built. -- Shawn Walker _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
