<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On 24 April 2014 16:06, Christian Schaller <span dir="ltr"><<a href="mailto:cschalle@redhat.com" target="_blank">cschalle@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=""><br></div><div><div class="h5">
> These were things that people were wondering when this came up in the past.<br>
<br>
</div></div>Once again this is becoming a debate about hypotheticals which rarely leads anywhere<br>
constructive.<br>
<br></blockquote><div><br></div><div>It actually isn't hypothetical. I have had to deal with a lot of problems with 3rd party repositories at previous jobs. The easiest and most common one is where the 3rd party later ships something that conflicts with the main repository. The weirder ones are where a clean package got stuff added to it where it backdoored the desktop or where it added a P2P service which set off all kinds of emails from the RIAA to the universities legal. </div>
<div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
To take a concrete case instead. Are you really worried about Google starting to ship<br>
dvdcss as part of their Chrome repository? Do you really think that is a question<br>
keeping our lawyers up at night?<br>
<br></blockquote><div><br></div><div>I am more worried about the criteria we are using for choosing these repositories, how they are chosen, vetted and added and a basic "How we plan to deal with problems when they occur" versus the standard "OMG THE SKY IS FALLING AND ITS ALL <FILL-IN-BLANK> FAULT". Because problems will occur and they will be at various very inconvenient times so having at least a "We will contact X, we will turn off Y in package Z, we will then push an update" with who to contact to deal with them.</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Are there repositories out there where we can not trust the person or company behind<br>
it enough to include it by default for legal reasons? Sure there is, but you can't say<br>
that just because we would not want to risk shipping the <a href="http://rpm-warez.tor.net" target="_blank">rpm-warez.tor.net</a> repo by default<br>
all 3rd party repos are high risk and something our lawyers would be concerned about. Because<br>
that is the argument you in practice is making when you are posing hypothetical questions about<br>
the risk of 3rd party repos.<br>
<span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br></div><div>You seem to have completely misread me so it is clear we are talking past each other. Since I am not communicating clearly in a way you or others understand, I will stop and withdrawal until I can better do so.</div>
<div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="HOEnZb"><font color="#888888">
Christian<br>
</font></span><div class="HOEnZb"><div class="h5">--<br>
devel mailing list<br>
<a href="mailto:devel@lists.fedoraproject.org">devel@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/devel" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/devel</a><br>
Fedora Code of Conduct: <a href="http://fedoraproject.org/code-of-conduct" target="_blank">http://fedoraproject.org/code-of-conduct</a></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">
Stephen J Smoogen.<br><br></div>
</div></div>