Comments inline. > -----Original Message----- > From: John Kinsella [mailto:j...@stratosec.co] > Sent: Wednesday, December 12, 2012 5:12 PM > To: cloudstack-dev@incubator.apache.org > Subject: Re: [DISCUSS] CloudStack Marketplace Update > > Repeating my previous comments - if Citrix wants to host a repository of > images for a CloudStack Marketplace, they can do whatever they wish. These > should not be listed in the default ACS install. > > Please remember Apache CloudStack != Citrix.
I am talking about an Apache listing repository. I am using Citrix as an example. All of our committers who work with CloudStack partners can bring in our validated partner listings. I am simply trying to leverage what we are already doing outside of the community and bring the benefits in. > > On Dec 12, 2012, at 5:09 PM, Jie Feng <jie.f...@citrix.com> > wrote: > > > David, your comments just inspired another idea. > > > > Citrix has a Citrix Ready program where our partners are certified. I think > many other companies might have similar programs. And there are > committers in the CloudStack community working for these companies with > the partners. At least we are comfortable with the quality of these partner > products not to have virus. We are not asking for these companies to be > legally responsible for anything their partners produce. > > > > Are we comfortable as a community to bring these partners' products in > through our committers as a starting point for building an Apache listing > repository? The listings will be limited, but at least we have something to > start with. > > > > Jie > > > >> -----Original Message----- > >> From: David Nalley [mailto:da...@gnsa.us] > >> Sent: Wednesday, December 12, 2012 4:55 PM > >> To: cloudstack-dev@incubator.apache.org > >> Subject: Re: [DISCUSS] CloudStack Marketplace Update > >> > >>> 2. How do we validate that the image templates are solid and no virus? > >>> [Jie] In my opinion, it is impossible for the Apache CloudStack > >>> community to > >> take on the burden to validate image templates. Otherwise we have to > >> validate each image, including every patch revision and sign them by > >> crypto key. We can only go as far as validating the listing metadata > >> and scripts appear/run correctly in Marketplace UI. If validity of > >> the image is a major concern for the community, we have to do the > >> listing repository outside of the community. > >>> > >> > >> This is the deal breaker IMO. > >> Making this the Apache CloudStack marketplace attaches the brand to > >> the marketplace. > >> Amazon has seen a number of malicious AMIs uploaded and made > >> available as community images, so there is clearly precedent. > >> The Apache name/brand also has a number of expectations in the open > >> source world around licensing, and without validation that > >> expectation would clearly not be met. > >> Finally there is the issue of whether folks uploading listings even > >> have the authority/permission to distribute the software on the > >> images that they have. Without some degree of accountability this would > be a legal nightmare. > >> I can't imagine that Citrix would run a Marketplace and allow its > >> name/brand to run the risk of the being sullied by random individuals > >> uploading links to unvalidated content, so I am somewhat perplexed > >> that the assumption would be that Apache CloudStack would tolerate > this. > >> > >> --David > > > > Stratosec - Secure Infrastructure as a Service > o: 415.315.9385 > @johnlkinsella
