| 1 |
Mike Kelly wrote: |
| 2 |
> Alec Warner wrote: |
| 3 |
> |
| 4 |
>> The fact that Gentoo can continue with the codebase is irrelevant. I |
| 5 |
>> think moreso the fact that a particular Package Manager would be the |
| 6 |
>> 'Gentoo Package Manager' means in my mind that Gentoo is responsible for |
| 7 |
>> said Package Manager. If someone were to slip evil code into said Package |
| 8 |
>> Manager and Gentoo released it; that would be bad. |
| 9 |
>> |
| 10 |
>> Note that with Portage, Gentoo could pull svn access for any individuals |
| 11 |
>> who commit such code. Gentoo have no gaurantee of that with an externally |
| 12 |
>> managed Manager as Gentoo has no control over the source repositories. |
| 13 |
>> |
| 14 |
>> If, by your comment above, Gentoo should maintain it's own branch of said |
| 15 |
>> package manager to insulate itself from issues such as the security issue |
| 16 |
>> defined above; well I think that may be one way to address the problem |
| 17 |
>> presented by Seemant. |
| 18 |
>> |
| 19 |
> |
| 20 |
> Come on, that's a bogus argument. By that logic, we should be |
| 21 |
> maintaining our own branches of, say, sys-apps/shadow, since we don't |
| 22 |
> control the upstream CVS repository. I think something that's installed |
| 23 |
> in the base "system" set would also be perceived as something that |
| 24 |
> Gentoo is responsible for, since we ship it in our stage tarballs, the |
| 25 |
> basic building blocks of a Gentoo system. |
| 26 |
> |
| 27 |
|
| 28 |
Except we aren't the authors of sys-apps/shadow. sys-apps/shadow is not |
| 29 |
a Gentoo project. |
| 30 |
|
| 31 |
I think there is a difference. Take the issue with the ubuntu installer |
| 32 |
that left the root password in a |
| 33 |
log in /var. Who was responsible? Ubuntu. Why? Because it's their |
| 34 |
installer, their project. We don't |
| 35 |
endorse things like sys-apps/shadow; we just happen to use it. If we |
| 36 |
say 'Package X is the official manager', |
| 37 |
then to me that implies endorsement. A package manager is a solid part |
| 38 |
of Gentoo. Source based package |
| 39 |
management is a huge part of what separates us from all other |
| 40 |
distributions, I think that has some meaning, |
| 41 |
if not to you than to many of our users. If there was such a security |
| 42 |
problem with the official manager, who is |
| 43 |
responsible? Gentoo. Even if it's not really 'our' project. Because |
| 44 |
it's our manager. Not any other distros, but ours. |
| 45 |
|
| 46 |
-Alec |
| 47 |
-- |
| 48 |
gentoo-dev@g.o mailing list |
Archives