1 |
Alec Warner wrote: |
2 |
> The fact that Gentoo can continue with the codebase is irrelevant. I |
3 |
> think moreso the fact that a particular Package Manager would be the |
4 |
> 'Gentoo Package Manager' means in my mind that Gentoo is responsible for |
5 |
> said Package Manager. If someone were to slip evil code into said Package |
6 |
> Manager and Gentoo released it; that would be bad. |
7 |
> |
8 |
> Note that with Portage, Gentoo could pull svn access for any individuals |
9 |
> who commit such code. Gentoo have no gaurantee of that with an externally |
10 |
> managed Manager as Gentoo has no control over the source repositories. |
11 |
> |
12 |
> If, by your comment above, Gentoo should maintain it's own branch of said |
13 |
> package manager to insulate itself from issues such as the security issue |
14 |
> defined above; well I think that may be one way to address the problem |
15 |
> presented by Seemant. |
16 |
|
17 |
Come on, that's a bogus argument. By that logic, we should be |
18 |
maintaining our own branches of, say, sys-apps/shadow, since we don't |
19 |
control the upstream CVS repository. I think something that's installed |
20 |
in the base "system" set would also be perceived as something that |
21 |
Gentoo is responsible for, since we ship it in our stage tarballs, the |
22 |
basic building blocks of a Gentoo system. |
23 |
|
24 |
-- |
25 |
Mike Kelly |