cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: [DISCUSS] CloudStack Marketplace Update
Date Thu, 13 Dec 2012 01:12:21 GMT
Repeating my previous comments - if Citrix wants to host a repository of images for a CloudStack
Marketplace, they can do whatever they wish. These should not be listed in the default ACS
install.

Please remember Apache CloudStack != Citrix.

On Dec 12, 2012, at 5:09 PM, Jie Feng <Jie.Feng@citrix.com>
 wrote:

> David, your comments just inspired another idea. 
> 
> Citrix has a Citrix Ready program where our partners are certified. I think many other
companies might have similar programs. And there are committers in the CloudStack community
working for these companies with the partners. At least we are comfortable with the quality
of these partner products not to have virus. We are not asking for these companies to be legally
responsible for anything their partners produce.
> 
> Are we comfortable as a community to bring these partners' products in through our committers
as a starting point for building an Apache listing repository? The listings will be limited,
but at least we have something to start with.
> 
> Jie
> 
>> -----Original Message-----
>> From: David Nalley [mailto:david@gnsa.us]
>> Sent: Wednesday, December 12, 2012 4:55 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Re: [DISCUSS] CloudStack Marketplace Update
>> 
>>> 2. How do we validate that the image templates are solid and no virus?
>>> [Jie] In my opinion, it is impossible for the Apache CloudStack community to
>> take on the burden to validate image templates. Otherwise we have to
>> validate each image, including every patch revision and sign them by crypto
>> key. We can only go as far as validating the listing metadata and scripts
>> appear/run correctly in Marketplace UI. If validity of the image is a major
>> concern for the community, we have to do the listing repository outside of
>> the community.
>>> 
>> 
>> This is the deal breaker IMO.
>> Making this the Apache CloudStack marketplace attaches the brand to the
>> marketplace.
>> Amazon has seen a number of malicious AMIs uploaded and made available
>> as community images, so there is clearly precedent.
>> The Apache name/brand also has a number of expectations in the open
>> source world around licensing, and without validation that expectation would
>> clearly not be met.
>> Finally there is the issue of whether folks uploading listings even have the
>> authority/permission to distribute the software on the images that they
>> have. Without some degree of accountability this would be a legal nightmare.
>> I can't imagine that Citrix would run a Marketplace and allow its name/brand
>> to run the risk of the being sullied by random individuals uploading links to
>> unvalidated content, so I am somewhat perplexed that the assumption
>> would be that Apache CloudStack would tolerate this.
>> 
>> --David
> 

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message