On Sat, 30 Mar 2024 at 13:26, Artem S. Tashkinov via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
I propose this issue to be tackled in a centralized way by the collaboration of major distros.
There must be a website or a central authority which includes known to be good/safe/verified/vetted open source packages along with e.g. SHA256/384/512/whatever hashes of the source tarballs. In addition, the source tarballs (not their compressed versions because people may use different compressors and compression settings) and their hashes must be digitally signed or have the appropriate PGP signatures from the trusted parties.
Some parties must be assigned trust to be able to push new packages to this repository. Each push must be verified by at least two independent parties, let's say RedHat and Ubuntu or Ubuntu and Arch, it doesn't matter. The representatives of these parties must be people whose whereabouts are known to confirm who they physically are. No nicknames allowed.
This website must also have/allow a revocation mechanism for situations like this.
Now Fedora/Arch/Debian/Ubuntu/whatever distros can build packages knowing they are safe to use.
If that's the wrong place to come up with this proposal, please forward it to the people who are responsible for making such decisions. I'm not willing to dig through the dirt to understand how the Fedora project works, who is responsible for what, and what are the appropriate communication channels. If you care, you'll simply forward my message. Thanks a lot.
There is no one who makes such decisions for any of the distros. Most of the distributions make decisions by consensus of hundreds of individuals who read a list and come to the conclusion that they are 'going to dig through the dirt' to make something happen or not. For changes like what you propose, you need groups of people to work for years to get all the agreements in place, get the various tooling adapted, and work out all the personalities involved. It will usually start with an email like this, and then various disagreements about how it will never work, and then some group of people to actually try to get something like it to work somewhere. At which point, the next round of 'well did you think about..' problems arrive and either the people are able to fix them or the idea gets shelved until later.
Best regards,
Artem
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue