On 8/22/07, Jeff Spaleta <jspaleta@xxxxxxxxx> wrote: > On 8/22/07, Owen Taylor <otaylor@xxxxxxxxxx> wrote: > > A) The information displayed to the user has been audited to be accurate > > You have a proposal on how to do this? I have grave concerns about > being legally allowed to do this in a centralize way as part of the > Fedora project. Now, I have no competence to address the legality, but there is a big difference between providing a listing of third party repositories as compared, to, when queried say "Yes, Joe Smith's Package Repository is in fact an accurate description of this .repo file" The latter can even be done without storing *any* information about Joe Smith's Package Repository on the Fedora repository by instead storing a GPG keyring of people trusted to do such audits and sign the information. > > B) We provide some sort of reputation system displayed right along > > with the question so that you have a basis for an informed decision > > Uhm... probably not possible. I seriously doubt that we could > officially host a ranking of 3rd party sources in fedora controlled > infrastructure. We go out of our way to not officially communicate > about 3rd party repos. I have a very hard time seeing how this is > going to be integrated into a Fedora experience with the Fedora > Project acting as the central broker of reputation. Well, there is one form of reputation system that I'm sure would pass muster ... a blacklist of known bad sites. But I'm pretty sure you can go further than that without running legal risks if you have no listing of sites and no "recommendation", and just display the data when the user is going to install the .repo file / GPG key. All you really need to store is: - Number of times the repo file / GPG key has been installed - Number of problem reports - Ability to click and view the problem reports So you wouldn't be endorsing Joe Smith's Package Repository at all, but if someone found a link to it, they'd be able to see the stats that 10,000 other people have installed the package repository, and 10 people have reported problems. People could draw their own conclusion from that whether it was a safe repository to install. Remember, we don't need to answer the question "what are cool repos to add", we just need to answer the question "is this repo that I'm trying to add safe or not". - Owen -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
