David, your comments just inspired another idea. Citrix has a Citrix Ready program where our partners are certified. I think many other companies might have similar programs. And there are committers in the CloudStack community working for these companies with the partners. At least we are comfortable with the quality of these partner products not to have virus. We are not asking for these companies to be legally responsible for anything their partners produce.
Are we comfortable as a community to bring these partners' products in through our committers as a starting point for building an Apache listing repository? The listings will be limited, but at least we have something to start with. Jie > -----Original Message----- > From: David Nalley [mailto:da...@gnsa.us] > Sent: Wednesday, December 12, 2012 4:55 PM > To: cloudstack-dev@incubator.apache.org > Subject: Re: [DISCUSS] CloudStack Marketplace Update > > > 2. How do we validate that the image templates are solid and no virus? > > [Jie] In my opinion, it is impossible for the Apache CloudStack community to > take on the burden to validate image templates. Otherwise we have to > validate each image, including every patch revision and sign them by crypto > key. We can only go as far as validating the listing metadata and scripts > appear/run correctly in Marketplace UI. If validity of the image is a major > concern for the community, we have to do the listing repository outside of > the community. > > > > This is the deal breaker IMO. > Making this the Apache CloudStack marketplace attaches the brand to the > marketplace. > Amazon has seen a number of malicious AMIs uploaded and made available > as community images, so there is clearly precedent. > The Apache name/brand also has a number of expectations in the open > source world around licensing, and without validation that expectation would > clearly not be met. > Finally there is the issue of whether folks uploading listings even have the > authority/permission to distribute the software on the images that they > have. Without some degree of accountability this would be a legal nightmare. > I can't imagine that Citrix would run a Marketplace and allow its name/brand > to run the risk of the being sullied by random individuals uploading links to > unvalidated content, so I am somewhat perplexed that the assumption > would be that Apache CloudStack would tolerate this. > > --David
