half baked idea for further baking: "fedora-ugly" repo
Honza Horak
hhorak at redhat.com
Tue Feb 11 18:53:14 UTC 2014
On 02/11/2014 07:35 PM, Matthew Miller wrote:
> On Tue, Feb 11, 2014 at 03:04:12PM +0100, Tadej Janež wrote:
>> Generally, a big +1 from me for the idea.
> [still tired from travel. longer reply later. deleting all of message
> except the one point I want to respond to now...]
>
>> I think we should define a small core policy (e.g. non-conflicting with
>> packages in Fedora's main repo, no over-riding of packages in Fedora's
>> main repo, licenses compatible with Fedora) and have an automated way to
>> check and enforce it. Having a manual review process would unnecessarily
>> slow the process of populating this repository.
>
> I'm afraid that this becomes an easy route for malware into the distribution
> if we don't have a human check. Obviously that can't be perfect either but
> it raises the bar significantly.
I'm not sure that significantly is correct. It's not such a big problem
now to package some sane code, go through formal review and then change
the code to malware. As far as there is some quick "stop" button, I'd be
ok with automatic reviews.
Honza
More information about the env-and-stacks
mailing list