> 2. How do we validate that the image templates are solid and no virus? > [Jie] In my opinion, it is impossible for the Apache CloudStack community to > take on the burden to validate image templates. Otherwise we have to validate > each image, including every patch revision and sign them by crypto key. We > can only go as far as validating the listing metadata and scripts appear/run > correctly in Marketplace UI. If validity of the image is a major concern for > the community, we have to do the listing repository outside of the community. >
This is the deal breaker IMO. Making this the Apache CloudStack marketplace attaches the brand to the marketplace. Amazon has seen a number of malicious AMIs uploaded and made available as community images, so there is clearly precedent. The Apache name/brand also has a number of expectations in the open source world around licensing, and without validation that expectation would clearly not be met. Finally there is the issue of whether folks uploading listings even have the authority/permission to distribute the software on the images that they have. Without some degree of accountability this would be a legal nightmare. I can't imagine that Citrix would run a Marketplace and allow its name/brand to run the risk of the being sullied by random individuals uploading links to unvalidated content, so I am somewhat perplexed that the assumption would be that Apache CloudStack would tolerate this. --David
