Repeating my previous comments - if Citrix wants to host a repository of images for a CloudStack Marketplace, they can do whatever they wish. These should not be listed in the default ACS install.
Please remember Apache CloudStack != Citrix. On Dec 12, 2012, at 5:09 PM, Jie Feng <jie.f...@citrix.com> wrote: > David, your comments just inspired another idea. > > Citrix has a Citrix Ready program where our partners are certified. I think > many other companies might have similar programs. And there are committers in > the CloudStack community working for these companies with the partners. At > least we are comfortable with the quality of these partner products not to > have virus. We are not asking for these companies to be legally responsible > for anything their partners produce. > > Are we comfortable as a community to bring these partners' products in > through our committers as a starting point for building an Apache listing > repository? The listings will be limited, but at least we have something to > start with. > > Jie > >> -----Original Message----- >> From: David Nalley [mailto:da...@gnsa.us] >> Sent: Wednesday, December 12, 2012 4:55 PM >> To: cloudstack-dev@incubator.apache.org >> Subject: Re: [DISCUSS] CloudStack Marketplace Update >> >>> 2. How do we validate that the image templates are solid and no virus? >>> [Jie] In my opinion, it is impossible for the Apache CloudStack community to >> take on the burden to validate image templates. Otherwise we have to >> validate each image, including every patch revision and sign them by crypto >> key. We can only go as far as validating the listing metadata and scripts >> appear/run correctly in Marketplace UI. If validity of the image is a major >> concern for the community, we have to do the listing repository outside of >> the community. >>> >> >> This is the deal breaker IMO. >> Making this the Apache CloudStack marketplace attaches the brand to the >> marketplace. >> Amazon has seen a number of malicious AMIs uploaded and made available >> as community images, so there is clearly precedent. >> The Apache name/brand also has a number of expectations in the open >> source world around licensing, and without validation that expectation would >> clearly not be met. >> Finally there is the issue of whether folks uploading listings even have the >> authority/permission to distribute the software on the images that they >> have. Without some degree of accountability this would be a legal nightmare. >> I can't imagine that Citrix would run a Marketplace and allow its name/brand >> to run the risk of the being sullied by random individuals uploading links to >> unvalidated content, so I am somewhat perplexed that the assumption >> would be that Apache CloudStack would tolerate this. >> >> --David > Stratosec - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella
