| 1 |
> On Sat, 31 Mar 2007 15:24:03 -0400 |
| 2 |
> Seemant Kulleen <seemant@g.o> wrote: |
| 3 |
> |
| 4 |
>> To make it more clear. If the gcc developers decided to stick some |
| 5 |
>> malicious code into gcc, it affects the entire linux community, the |
| 6 |
>> entire BSD community and would take out a few other communities as |
| 7 |
>> well. The effects are far reaching and shared by everyone. If an |
| 8 |
>> official package manager is outside of Gentoo's control, and the |
| 9 |
>> maintainer(s) of that piece of software decide to do anything |
| 10 |
>> malicious (examples: inject some dodgy code, remove documentation, |
| 11 |
>> take out access to the repository, etc) for whatever reason (say, |
| 12 |
>> they get pissed off at a few Gentoo people and decide that the entire |
| 13 |
>> Gentoo community can be painted that way), then |
| 14 |
> |
| 15 |
> ... Gentoo developers can take the latest release of said package |
| 16 |
> manager and continue development from that. That's the wonderful thing |
| 17 |
> about the GPL, no? |
| 18 |
|
| 19 |
The fact that Gentoo can continue with the codebase is irrelevant. I |
| 20 |
think moreso the fact that a particular Package Manager would be the |
| 21 |
'Gentoo Package Manager' means in my mind that Gentoo is responsible for |
| 22 |
said Package Manager. If someone were to slip evil code into said Package |
| 23 |
Manager and Gentoo released it; that would be bad. |
| 24 |
|
| 25 |
Note that with Portage, Gentoo could pull svn access for any individuals |
| 26 |
who commit such code. Gentoo have no gaurantee of that with an externally |
| 27 |
managed Manager as Gentoo has no control over the source repositories. |
| 28 |
|
| 29 |
If, by your comment above, Gentoo should maintain it's own branch of said |
| 30 |
package manager to insulate itself from issues such as the security issue |
| 31 |
defined above; well I think that may be one way to address the problem |
| 32 |
presented by Seemant. |
| 33 |
|
| 34 |
-Alec |
| 35 |
|
| 36 |
-- |
| 37 |
gentoo-dev@g.o mailing list |
Archives