Root growing
in [Suse]
|
From: David Bolt on 1 Jul 2010 08:01 On Thursday 01 Jul 2010 12:34, while playing with a tin of spray paint, houghi painted this mural: > David Bolt wrote: >>> It is pretty clear for those who understand what everything in the URL >>> means. There where talks about security (and for Novell also very >>> importand) responsability for hosted packages. >> >> You any idea where/when this took place? I would be interested in >> reviewing the conversation, if it is possible to do so. > > Not sure if it was FOSDEM or Nuernberg. I believe FOSDEM 2 or 3 years > ago before the buildservice was public. It was mentioned more as a > sidenote. "Yes we are aware of the risks of hosting packages that are > not our own." Okay. >> I would hope that they would at least check to see if only the one >> package contained malware, or was compromised in some way, or if more >> than one of the users packages contained malware or were compromised. >> Otherwise, it could be that someone takes a compromised source archive >> and ends up losing their account because of it. > > I am sure they will look into it on a case by case, uh case. Not sure if > it already happend or not. I don't recall anything on the build service mailing list mentioning anything like this happening, so it's quite possible it's not happened as yet. Or maybe it has but no-one has noticed. > <snip> > >>> Security or >>> availability? >> >> That's a hard one to answer. For Novell, security must be the top >> priority as anything else and it could tarnish their reputation. > > We are talking about openSUSE. Plus the repos's, like yours, are not > Novells. They just provide the tools and the hosting. That's why it could possibly tarnish their reputation, and would provide some more fodder for the anti-Novell brigade. > So they can not > claim anything and can not be held responsible for anything. If they can't be held responsible for packages hosted there, why have the restrictions on the multimedia packages? Basically, it's because they could possibly be held responsible, and they're going to have much deeper pockets than anyone hosting packages on their systems. > So they will not look for bad software (legaly or technically) and only > take action when it is pointed out. That's probably the way it would have to be. I think it would be unworkable if it was done any other way. Regards, David Bolt -- Team Acorn: www.distributed.net openSUSE 11.0 32b | | | openSUSE 11.3RC1 32b | openSUSE 11.1 64b | openSUSE 11.2 64b | TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11
From: David Bolt on 1 Jul 2010 11:37
On Thursday 01 Jul 2010 15:34, while playing with a tin of spray paint, houghi painted this mural: > David Bolt wrote: >> If they can't be held responsible for packages hosted there, why have >> the restrictions on the multimedia packages? Basically, it's because >> they could possibly be held responsible, and they're going to have much >> deeper pockets than anyone hosting packages on their systems. > > Because of the specific German laws that says that they can not even > link to such things, let alone host it. That, to me at least, is a stupid law. > That makes > http://susestudio.com/download/74aa2441e71a5c08bdedbbe6ab9afb79/KDE4_Plus_Mplayer.i686-1.2.0.iso > which is a openSUSE based distro including MPlayer all the more > interesting. Ah, but that's not hosted in Germany. Having said that, it's hosted in America, and I would have thought that would be even worse given the apparent allowance for filing suits for any reason whatsoever. Regards, David Bolt -- Team Acorn: www.distributed.net openSUSE 11.0 32b | | | openSUSE 11.3RC1 32b | openSUSE 11.1 64b | openSUSE 11.2 64b | TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11 |