From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HYmaD-000836-BK for garchives@archives.gentoo.org; Tue, 03 Apr 2007 17:14:13 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l33HDIej022939; Tue, 3 Apr 2007 17:13:18 GMT Received: from spunkymail-a13.g.dreamhost.com (sd-green-bigip-207.dreamhost.com [208.97.132.207]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l33HBPbb020694 for ; Tue, 3 Apr 2007 17:11:26 GMT Received: from [192.168.118.203] (unknown [209.147.168.5]) by spunkymail-a13.g.dreamhost.com (Postfix) with ESMTP id 60683129B2F for ; Tue, 3 Apr 2007 10:11:25 -0700 (PDT) Message-ID: <46128A86.9090905@gentoo.org> Date: Tue, 03 Apr 2007 10:10:30 -0700 From: antarus User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [soc] Python bindings for Paludis References: <200703240028.15461.peper@gentoo.org> <200703271519.29674.vapier@gentoo.org> <20070327211510.0b426e09@snowflake> <200703301404.16400.vapier@gentoo.org> <20070331201602.3e50b815@Kacian2.emea.hpqcorp.net> <1175369043.5961.30.camel@localhost> <20070331203957.0ce015bd@blashyrk> <39425.67.180.39.52.1175380671.squirrel@webmail.scriptkitty.com> <46125CBC.4090806@gentoo.org> In-Reply-To: <46125CBC.4090806@gentoo.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 8bf81fb5-3ff3-46e5-be80-2a77c8b8a4c3 X-Archives-Hash: 259860f3b2ac9c15387af1724fb55c69 Mike Kelly wrote: > Alec Warner wrote: > >> The fact that Gentoo can continue with the codebase is irrelevant. I >> think moreso the fact that a particular Package Manager would be the >> 'Gentoo Package Manager' means in my mind that Gentoo is responsible for >> said Package Manager. If someone were to slip evil code into said Package >> Manager and Gentoo released it; that would be bad. >> >> Note that with Portage, Gentoo could pull svn access for any individuals >> who commit such code. Gentoo have no gaurantee of that with an externally >> managed Manager as Gentoo has no control over the source repositories. >> >> If, by your comment above, Gentoo should maintain it's own branch of said >> package manager to insulate itself from issues such as the security issue >> defined above; well I think that may be one way to address the problem >> presented by Seemant. >> > > Come on, that's a bogus argument. By that logic, we should be > maintaining our own branches of, say, sys-apps/shadow, since we don't > control the upstream CVS repository. I think something that's installed > in the base "system" set would also be perceived as something that > Gentoo is responsible for, since we ship it in our stage tarballs, the > basic building blocks of a Gentoo system. > Except we aren't the authors of sys-apps/shadow. sys-apps/shadow is not a Gentoo project. I think there is a difference. Take the issue with the ubuntu installer that left the root password in a log in /var. Who was responsible? Ubuntu. Why? Because it's their installer, their project. We don't endorse things like sys-apps/shadow; we just happen to use it. If we say 'Package X is the official manager', then to me that implies endorsement. A package manager is a solid part of Gentoo. Source based package management is a huge part of what separates us from all other distributions, I think that has some meaning, if not to you than to many of our users. If there was such a security problem with the official manager, who is responsible? Gentoo. Even if it's not really 'our' project. Because it's our manager. Not any other distros, but ours. -Alec -- gentoo-dev@gentoo.org mailing list