1 |
Mike Kelly wrote: |
2 |
> Alec Warner wrote: |
3 |
> |
4 |
>> The fact that Gentoo can continue with the codebase is irrelevant. I |
5 |
>> think moreso the fact that a particular Package Manager would be the |
6 |
>> 'Gentoo Package Manager' means in my mind that Gentoo is responsible for |
7 |
>> said Package Manager. If someone were to slip evil code into said Package |
8 |
>> Manager and Gentoo released it; that would be bad. |
9 |
>> |
10 |
>> Note that with Portage, Gentoo could pull svn access for any individuals |
11 |
>> who commit such code. Gentoo have no gaurantee of that with an externally |
12 |
>> managed Manager as Gentoo has no control over the source repositories. |
13 |
>> |
14 |
>> If, by your comment above, Gentoo should maintain it's own branch of said |
15 |
>> package manager to insulate itself from issues such as the security issue |
16 |
>> defined above; well I think that may be one way to address the problem |
17 |
>> presented by Seemant. |
18 |
>> |
19 |
> |
20 |
> Come on, that's a bogus argument. By that logic, we should be |
21 |
> maintaining our own branches of, say, sys-apps/shadow, since we don't |
22 |
> control the upstream CVS repository. I think something that's installed |
23 |
> in the base "system" set would also be perceived as something that |
24 |
> Gentoo is responsible for, since we ship it in our stage tarballs, the |
25 |
> basic building blocks of a Gentoo system. |
26 |
> |
27 |
|
28 |
Except we aren't the authors of sys-apps/shadow. sys-apps/shadow is not |
29 |
a Gentoo project. |
30 |
|
31 |
I think there is a difference. Take the issue with the ubuntu installer |
32 |
that left the root password in a |
33 |
log in /var. Who was responsible? Ubuntu. Why? Because it's their |
34 |
installer, their project. We don't |
35 |
endorse things like sys-apps/shadow; we just happen to use it. If we |
36 |
say 'Package X is the official manager', |
37 |
then to me that implies endorsement. A package manager is a solid part |
38 |
of Gentoo. Source based package |
39 |
management is a huge part of what separates us from all other |
40 |
distributions, I think that has some meaning, |
41 |
if not to you than to many of our users. If there was such a security |
42 |
problem with the official manager, who is |
43 |
responsible? Gentoo. Even if it's not really 'our' project. Because |
44 |
it's our manager. Not any other distros, but ours. |
45 |
|
46 |
-Alec |
47 |
-- |
48 |
gentoo-dev@g.o mailing list |