I'm not sure my proposal has been understood at all.
This website/authority is a sort of advisory board where each member's participation
is 100% voluntary and distros are free to **ignore** it altogether.
What this website will contain is just a nice list of vetted open source packages,
versions and their hashes, signed by at least two independent parties (people or orgs,
doesn't matter), that's it. Who's going to populate this website, is up to
people to decide.
This is just fundamentally not how Free Software works.
Fundamentally I don't understand your comment at all. The proposal of mine is not
there to limit anyone's freedom, it's to provide guarantees that certain packages
have been vetted (checked and verified to be malware free), and you are safe to use it.
Actually it's a huge stinking problem for a **ton** of open source users who want to
install certain packages that their distros don't have. It's especially relevant
for Fedora given it's a basically a precursor of RedHat and it cannot contain a ton of
packages related to software patents.
As a result of it, BTW, your users blindly trust RPMFusion. A seemingly absolutely shady
website with no official ties to RedHat, which guarantees neither that the packages it
builds are malware free, nor that there are any actual people responsible for them. If
there are RPMFusion maintainers here, I'm not here to insult you, I'm just
relaying the status quo. RPMFusion does not look legit. I stopped using it over a decade
ago because I simply cannot understand why I should trust it. If RedHat denies anything
patent related, there's zero legal obligations for RedHat if someone starts spreading
malware via it. That sucks.
Back to the topic.
Then you have to painstakingly scour the web for distros already using this package and
check whether their have the same version with a hash. Then you download the package and
verify the hash and pray to God the distro has at least given a cursory look to this
package, so it's actually safe to install.
I guess I'm not coming from @fedora.org or @redhat.com, so my proposal is
"anti-freedom".
Sorry for wasting your time. You have not even provided the very basic counter-arguments
why my proposal makes no sense.
RedHat absolutely can start this initiative. You have all the means and resources, and
I'm not talking about something super complex or expensive. For all I know, it could
be the most basic website running on top of SQLite which costing the company $50 a month
to run.
And of course, without this website, distros will continue to valiantly include upstream
packages and get royally screwed and screw their poor users because a ton of your
maintainers have neither the time/resources, nor qualifications to check whether the code
you happily push to users is malware free.
I guess we'll have to have a few more accidents like this before someone will come up
with a similar solution only not coming from me personally, because I'm a no one and
just rending the air.
Sorry for intervening,
Artem