On Wed, Jan 22, 2014 at 5:39 PM, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:
> You want that set of channels to include a number of third-party vendors
> who distribute non-free software. There's a few practical problems here
> - how do we choose those vendors? What process do we have for ensuring
> that they aren't distributing malicious code? What if they provide a
> package that breaks software that we ship as part of Fedora? What if a
> vendor with a known history of shipping broken software requests
> inclusion and kicks up a PR storm if we refuse?
Every single retailer is facing these questions about he products arriving from the vendors, and somehow they manage. This should not be that huge a deal in practice; primarily it's a matter of mindset, abandoning the "full-featured and self-contained distribution" expectation.
(It seems that sandboxing the third-party software is what the world is converging on, but we've also had >30 years of software products for sale before sandboxing existed.)> You want that set of channels to include a number of third-party vendors
> who distribute non-free software. There's a few practical problems here
> - how do we choose those vendors? What process do we have for ensuring
> that they aren't distributing malicious code? What if they provide a
> package that breaks software that we ship as part of Fedora? What if a
> vendor with a known history of shipping broken software requests
> inclusion and kicks up a PR storm if we refuse?
Every single retailer is facing these questions about he products arriving from the vendors, and somehow they manage. This should not be that huge a deal in practice; primarily it's a matter of mindset, abandoning the "full-featured and self-contained distribution" expectation.
_______________________________________________ advisory-board mailing list advisory-board@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/advisory-board
