On Wed, Dec 12, 2012 at 8:22 PM, Jie Feng <jie.f...@citrix.com> wrote: > Comments inline. > >> -----Original Message----- >> From: John Kinsella [mailto:j...@stratosec.co] >> Sent: Wednesday, December 12, 2012 5:12 PM >> To: cloudstack-dev@incubator.apache.org >> Subject: Re: [DISCUSS] CloudStack Marketplace Update >> >> Repeating my previous comments - if Citrix wants to host a repository of >> images for a CloudStack Marketplace, they can do whatever they wish. These >> should not be listed in the default ACS install. >> >> Please remember Apache CloudStack != Citrix. > > I am talking about an Apache listing repository. I am using Citrix as an > example. All of our committers who work with CloudStack partners can bring in > our validated partner listings. I am simply trying to leverage what we are > already doing outside of the community and bring the benefits in.
-1 (binding) I am not confortable with the Apache CloudStack project making any assumptions about external organizations, and their various "certification" programs. Organizations have no standing with the ASF, and therefore the employer of our contributors should not affect their trust of some external organization for project purposes. At a bare minimum, if this marketplace idea is to move forward, we need to think about it in terms of code that can be used to provide marketplace services, but not as an "Apache" service. >> >> On Dec 12, 2012, at 5:09 PM, Jie Feng <jie.f...@citrix.com> >> wrote: >> >> > David, your comments just inspired another idea. >> > >> > Citrix has a Citrix Ready program where our partners are certified. I think >> many other companies might have similar programs. And there are >> committers in the CloudStack community working for these companies with >> the partners. At least we are comfortable with the quality of these partner >> products not to have virus. We are not asking for these companies to be >> legally responsible for anything their partners produce. >> > >> > Are we comfortable as a community to bring these partners' products in >> through our committers as a starting point for building an Apache listing >> repository? The listings will be limited, but at least we have something to >> start with. >> > >> > Jie >> > >> >> -----Original Message----- >> >> From: David Nalley [mailto:da...@gnsa.us] >> >> Sent: Wednesday, December 12, 2012 4:55 PM >> >> To: cloudstack-dev@incubator.apache.org >> >> Subject: Re: [DISCUSS] CloudStack Marketplace Update >> >> >> >>> 2. How do we validate that the image templates are solid and no virus? >> >>> [Jie] In my opinion, it is impossible for the Apache CloudStack >> >>> community to >> >> take on the burden to validate image templates. Otherwise we have to >> >> validate each image, including every patch revision and sign them by >> >> crypto key. We can only go as far as validating the listing metadata >> >> and scripts appear/run correctly in Marketplace UI. If validity of >> >> the image is a major concern for the community, we have to do the >> >> listing repository outside of the community. >> >>> >> >> >> >> This is the deal breaker IMO. >> >> Making this the Apache CloudStack marketplace attaches the brand to >> >> the marketplace. >> >> Amazon has seen a number of malicious AMIs uploaded and made >> >> available as community images, so there is clearly precedent. >> >> The Apache name/brand also has a number of expectations in the open >> >> source world around licensing, and without validation that >> >> expectation would clearly not be met. >> >> Finally there is the issue of whether folks uploading listings even >> >> have the authority/permission to distribute the software on the >> >> images that they have. Without some degree of accountability this would >> be a legal nightmare. >> >> I can't imagine that Citrix would run a Marketplace and allow its >> >> name/brand to run the risk of the being sullied by random individuals >> >> uploading links to unvalidated content, so I am somewhat perplexed >> >> that the assumption would be that Apache CloudStack would tolerate >> this. >> >> >> >> --David >> > >> >> Stratosec - Secure Infrastructure as a Service >> o: 415.315.9385 >> @johnlkinsella > >
