package, package2, package3 naming-with-version exploit

Nicolas Mailhot nicolas.mailhot at laposte.net
Thu Apr 4 17:27:23 UTC 2013 

Le Mer 3 avril 2013 21:00, Richard W.M. Jones a écrit :

> So we have, I think, four choices:
>
> (1) embrace the software, allow it to be shipped (or even ship it
> ourselves), and don't care about the security problems
>
> (2) deal with the combinatorial security explosion of having multiple
> parallel versions of badly engineered packages installed, requiring
> loads of extra manpower (from where?!)
>
> (3) spend ages educating the upstream developers on best practices,
> and patching and fixing upstream software ourselves
>
> (4) don't embrace or ship this software, and risk obscurity
>
> I think #3 or #4 is where we are right now.

You've just proved there is no choice to make

Your first choice is a no-go, PR disaster in the making (Microsoft is
still paying the PR costs of its 90's security shortcuts, two decades
later).

All the other "choices" are manpower allocation, that Fedora does not
restrict in any way. If 2. or 3. are not taken more often it's just that
some upstreams make their production prohibitively expensive to ship in
manpower, and no one feels ready to volunteer the vast amount of time they
would require.

Ecosystem packaging usually goes from 4 to 2 to 3, with the courageous
people stepping up for 2 getting burnt out and barely managing to do 4
enough for someone else to take up the relay from there.

Upstream shortcuts are like heavy metals: the higher you get in the
foodchain the highest the poison concentration. In systems-land packagers
are at the top of the foodchain. The easier you make for upstreams to
introduce poison in the ecosystem, the less packages you will ship in the
mid-term because you'll get packager die-out (LibreOffice people have
understood this very well at their own scale).

And, lastly, you're selling the advantages of packaging short. Linux users
are quick to understand the benefits they get from packaged software. That
is why we get regular upstream complains distros are 'stealing' their
users, or the current castle-in-the-sky wishful thinking by some GNOME OS
proponents. They don't like having to abide by strict distro deployment
rules, but their users are forcing them to go through this process, or
risk obscurity (to use your words).

Regards,

-- 
Nicolas Mailhot

More information about the devel mailing list