| 1 |
Alec Warner wrote: |
| 2 |
> The fact that Gentoo can continue with the codebase is irrelevant. I |
| 3 |
> think moreso the fact that a particular Package Manager would be the |
| 4 |
> 'Gentoo Package Manager' means in my mind that Gentoo is responsible for |
| 5 |
> said Package Manager. If someone were to slip evil code into said Package |
| 6 |
> Manager and Gentoo released it; that would be bad. |
| 7 |
> |
| 8 |
> Note that with Portage, Gentoo could pull svn access for any individuals |
| 9 |
> who commit such code. Gentoo have no gaurantee of that with an externally |
| 10 |
> managed Manager as Gentoo has no control over the source repositories. |
| 11 |
> |
| 12 |
> If, by your comment above, Gentoo should maintain it's own branch of said |
| 13 |
> package manager to insulate itself from issues such as the security issue |
| 14 |
> defined above; well I think that may be one way to address the problem |
| 15 |
> presented by Seemant. |
| 16 |
|
| 17 |
Come on, that's a bogus argument. By that logic, we should be |
| 18 |
maintaining our own branches of, say, sys-apps/shadow, since we don't |
| 19 |
control the upstream CVS repository. I think something that's installed |
| 20 |
in the base "system" set would also be perceived as something that |
| 21 |
Gentoo is responsible for, since we ship it in our stage tarballs, the |
| 22 |
basic building blocks of a Gentoo system. |
| 23 |
|
| 24 |
-- |
| 25 |
Mike Kelly |
Archives