other ways of working with third party vendors [was Re: Proposal: Revision of policy surrounding 3rd party and non-free software]

Matthew Garrett mjg59 at srcf.ucam.org
Wed Jan 22 23:24:09 UTC 2014


On Wed, Jan 22, 2014 at 11:54:15PM +0100, Miloslav Trma─Ź wrote:
> On Wed, Jan 22, 2014 at 5:39 PM, Matthew Garrett <mjg59 at srcf.ucam.org>
> wrote:
> > You want that set of channels to include a number of third-party vendors
> > who distribute non-free software. There's a few practical problems here
> > - how do we choose those vendors? What process do we have for ensuring
> > that they aren't distributing malicious code? What if they provide a
> > package that breaks software that we ship as part of Fedora? What if a
> > vendor with a known history of shipping broken software requests
> > inclusion and kicks up a PR storm if we refuse?
> 
> Every single retailer is facing these questions about he products arriving
> from the vendors, and somehow they manage.  This should not be *that
> huge*a deal in practice; primarily it's a matter of mindset,
> abandoning the
> "full-featured and self-contained distribution" expectation.

I don't see the relation between those two things. We can move away from 
that expectation without providing any kind of third-party software by 
default.

> (It seems that sandboxing the third-party software is what the world is
> converging on, but we've also had >30 years of software products for sale
> before sandboxing existed.)

A bunch of technical problems are certainly solved if we assume that 
everything distributed this way is sandboxed, but sandboxing doesn't let 
you distribute codecs or graphics drivers.

-- 
Matthew Garrett | mjg59 at srcf.ucam.org


More information about the advisory-board mailing list