Sorry Outlook and inline do not work... it's garbage... On to the topic What I was trying to say is:
I completely agree. I would not want to 'trust' that the marketplace is only selling fully tested code. There should be a measure of seperation between core ACS, and the marketplace code/integration. The marketplace should be optional. A standardized theme across our product and our docs, web pressence is essential for selling a brand. And we all want to increase the CS install base. Also has anyone thought of the logistics of hosting/operating an ecommerce system? Who would be responsible?? What payment GW? Broker? Legalities? -kd -----Original Message----- From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] Sent: Wednesday, December 12, 2012 3:10 PM To: cloudstack-dev@incubator.apache.org Subject: RE: [DISCUSS] CloudStack Marketplace Update >>>Weighing in late here as well. >>>First guys, appreciate the contribution. All these awesome ideas, we appreciate the work. >>>That said, work *has* to happen in The Apache Way. >>>Now, some comments: >>>I would strongly recommend separation of code and data. Build >>>Marketplace into ACS, allow it to be easily enabled/disabled at both the global >>>and account/user levels. Regarding data, I think the model you should follow here is that of Eclipse, not maven - as we have a UI, 3rd parties >>>can provide links to repositories that users can add by pasting the link into a wizard in the UI. After submission, the repo sends it's public key to >>>ACS, which stores it for later use. Once a repo is enabled in an ACS install, offerings are browsable/selectable through the admin console, with >>>any commerce/tracking/whatever happening outside our application. >>>When a user selects to download a widget, the repo sends a URL with a >>>mime type that ACS recognizes means it's for it's own consumption. The downloaded package contains the widget and a cryptographic >>>signature - ACS then verifies that signature on the widget via the public key previously downloaded. >>>By default, ACS should ship with a basic "marketplace" that contains >>>the SSVM image and a sample base OS. >>>From a security POV, you better have a metric ton of certainty that >>>what you're providing me is a clean innocent widget. Another reason for >>>this to happen outside the sphere of ACS. If there's an issue, I don't really want that affecting the Apache or CloudStack brand because our >>>vetting of said widget missed something and now some cloud is running 500 copies of a malicious VM. I don't like that type of front-page >>>coverage. Again, I completely agree. I would not want to 'trust' that the marketplace is only selling fully tested code. There should be a measure of seperation between core ACS, and the marketplace code/integration. The marketplace should be optional. >>>The UI looks nice, but it's not maintaining a standard look/feel with >>>the rest of the app. I think as part of accepting the project, we should >>>consider enforcing a standardized look/feel, otherwise our baby will >>>turn into a beast with many arms sticking out of it's head. Agreed, a standardized theme across our product and our docs, web pressence is essential for selling a brand. And we all want to increase the CS install base. >>>john Also has anyone thought of the logistics of hosting/operating an ecommerce system? Who would be responsible?? What payment GW? Broker? Legalities? -----Original Message----- From: Sebastien Goasguen [mailto:run...@gmail.com] Sent: Wednesday, December 12, 2012 2:32 PM To: cloudstack-dev@incubator.apache.org Subject: Re: [DISCUSS] CloudStack Marketplace Update On Dec 12, 2012, at 11:17 PM, Chip Childers < <mailto:chip.child...@sungard.com> chip.child...@sungard.com> wrote: > On Wed, Dec 12, 2012 at 12:45 PM, Jie Feng < > <mailto:jie.f...@citrix.com> jie.f...@citrix.com> wrote: >> Any inputs from others in the community? I like to reach some >> consensus on where to host the Apache listing repository in the next couple of weeks (since if we go with option 1, we need to give vendors enough time to put listings in source code prior to code freeze end of Jan). >> >> Jie >> > > A general observation... > > If this is part of a cloudstack install, then why aren't we simply > extending the list of available templates that users can chose from to > include those that may start out at a remote location (but may be > cached by CloudStack after the first use). Why not also extend the > template meta-data to include optional details like what's provided in > the listing material? > > If an admin is already deciding on which templates would be listed in > the marketplace, why wouldn't they simply be listed in the global > template list? It seems confusing to have to curate two different > sets of templates (marketplace and available for immediate > provisioning). > > -chip Couple thoughts, A while back when the marketplace idea came up, I mentioned the opennebula marketplace. It may be good to have a look at it again: <http://opennebula.org/documentation:rel3.8:marketplace> http://opennebula.org/documentation:rel3.8:marketplace Basically it is a service, external to an opennebula deployment, that an admin can point to, in order to offer users templates published by the community. The marketplace itself only manages meta-data associated with each image. In my mind, I see it as a separate project. I probably don't understand the entire concept of the existing proposal for the CS marketplace, but having "vendor" information in our Apache code base is worrisome. PS: BTW, A huge issue with marketplaces is how to trust images. How do you vet an image ? -Sebastien
