On 22 January 2014 15:54, Miloslav Trmač <mitr@xxxxxxxx> wrote:
On Wed, Jan 22, 2014 at 5:39 PM, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:Every single retailer is facing these questions about he products arriving from the vendors, and somehow they manage. This should not be that huge a deal in practice; primarily it's a matter of mindset, abandoning the "full-featured and self-contained distribution" expectation.
> You want that set of channels to include a number of third-party vendors
> who distribute non-free software. There's a few practical problems here
> - how do we choose those vendors? What process do we have for ensuring
> that they aren't distributing malicious code? What if they provide a
> package that breaks software that we ship as part of Fedora? What if a
> vendor with a known history of shipping broken software requests
> inclusion and kicks up a PR storm if we refuse?
Retailers manage because there are long and large amounts of contractual and other commerce laws, treaties, etc to back them up when dealing with product problems with their upstream. There are contracts in place all through the chain of construction that are in place that liability moves up the chain and not to the retailer. However when you don't have those contracts in place you as the end party can be found liable for the problems versus the upstream vendor.
So yes it is huge and has implications that aren't easily or logically parseable.
(It seems that sandboxing the third-party software is what the world is converging on, but we've also had >30 years of software products for sale before sandboxing existed.)Mirek
_______________________________________________
advisory-board mailing list
advisory-board@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/advisory-board
Stephen J Smoogen.
_______________________________________________ advisory-board mailing list advisory-board@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/advisory-board