1 |
> On Sat, 31 Mar 2007 15:24:03 -0400 |
2 |
> Seemant Kulleen <seemant@g.o> wrote: |
3 |
> |
4 |
>> To make it more clear. If the gcc developers decided to stick some |
5 |
>> malicious code into gcc, it affects the entire linux community, the |
6 |
>> entire BSD community and would take out a few other communities as |
7 |
>> well. The effects are far reaching and shared by everyone. If an |
8 |
>> official package manager is outside of Gentoo's control, and the |
9 |
>> maintainer(s) of that piece of software decide to do anything |
10 |
>> malicious (examples: inject some dodgy code, remove documentation, |
11 |
>> take out access to the repository, etc) for whatever reason (say, |
12 |
>> they get pissed off at a few Gentoo people and decide that the entire |
13 |
>> Gentoo community can be painted that way), then |
14 |
> |
15 |
> ... Gentoo developers can take the latest release of said package |
16 |
> manager and continue development from that. That's the wonderful thing |
17 |
> about the GPL, no? |
18 |
|
19 |
The fact that Gentoo can continue with the codebase is irrelevant. I |
20 |
think moreso the fact that a particular Package Manager would be the |
21 |
'Gentoo Package Manager' means in my mind that Gentoo is responsible for |
22 |
said Package Manager. If someone were to slip evil code into said Package |
23 |
Manager and Gentoo released it; that would be bad. |
24 |
|
25 |
Note that with Portage, Gentoo could pull svn access for any individuals |
26 |
who commit such code. Gentoo have no gaurantee of that with an externally |
27 |
managed Manager as Gentoo has no control over the source repositories. |
28 |
|
29 |
If, by your comment above, Gentoo should maintain it's own branch of said |
30 |
package manager to insulate itself from issues such as the security issue |
31 |
defined above; well I think that may be one way to address the problem |
32 |
presented by Seemant. |
33 |
|
34 |
-Alec |
35 |
|
36 |
-- |
37 |
gentoo-dev@g.o mailing list |