I'm not sure my proposal has been understood at all. This website/authority is a sort of advisory board where each member's participation is 100% voluntary and distros are free to **ignore** it altogether.
What this website will contain is just a nice list of vetted open source packages, versions and their hashes, signed by at least two independent parties (people or orgs, doesn't matter), that's it. Who's going to populate this website, is up to people to decide. > This is just fundamentally not how Free Software works. Fundamentally I don't understand your comment at all. The proposal of mine is not there to limit anyone's freedom, it's to provide guarantees that certain packages have been vetted (checked and verified to be malware free), and you are safe to use it. Actually it's a huge stinking problem for a **ton** of open source users who want to install certain packages that their distros don't have. It's especially relevant for Fedora given it's a basically a precursor of RedHat and it cannot contain a ton of packages related to software patents. As a result of it, BTW, your users blindly trust RPMFusion. A seemingly absolutely shady website with no official ties to RedHat, which guarantees neither that the packages it builds are malware free, nor that there are any actual people responsible for them. If there are RPMFusion maintainers here, I'm not here to insult you, I'm just relaying the status quo. RPMFusion does not look legit. I stopped using it over a decade ago because I simply cannot understand why I should trust it. If RedHat denies anything patent related, there's zero legal obligations for RedHat if someone starts spreading malware via it. That sucks. Back to the topic. Then you have to painstakingly scour the web for distros already using this package and check whether their have the same version with a hash. Then you download the package and verify the hash and pray to God the distro has at least given a cursory look to this package, so it's actually safe to install. I guess I'm not coming from @fedora.org or @redhat.com, so my proposal is "anti-freedom". Sorry for wasting your time. You have not even provided the very basic counter-arguments why my proposal makes no sense. RedHat absolutely can start this initiative. You have all the means and resources, and I'm not talking about something super complex or expensive. For all I know, it could be the most basic website running on top of SQLite which costing the company $50 a month to run. And of course, without this website, distros will continue to valiantly include upstream packages and get royally screwed and screw their poor users because a ton of your maintainers have neither the time/resources, nor qualifications to check whether the code you happily push to users is malware free. I guess we'll have to have a few more accidents like this before someone will come up with a similar solution only not coming from me personally, because I'm a no one and just rending the air. Sorry for intervening, Artem -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
