Return-Path: 
 <cloudstack-dev-return-13556-apmail-incubator-cloudstack-dev-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org
Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 71CE3D11B
	for <apmail-incubator-cloudstack-dev-archive@minotaur.apache.org>;
 Thu, 13 Dec 2012 01:12:53 +0000 (UTC)
Received: (qmail 81813 invoked by uid 500); 13 Dec 2012 01:12:53 -0000
Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org
Received: (qmail 81770 invoked by uid 500); 13 Dec 2012 01:12:53 -0000
Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:cloudstack-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:cloudstack-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:cloudstack-dev@incubator.apache.org>
List-Id: <cloudstack-dev.incubator.apache.org>
Reply-To: cloudstack-dev@incubator.apache.org
Delivered-To: mailing list cloudstack-dev@incubator.apache.org
Received: (qmail 81762 invoked by uid 99); 13 Dec 2012 01:12:53 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Dec 2012 01:12:53 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW
X-Spam-Check-By: apache.org
Received-SPF: unknown mxinclude:zoho.com~all (athena.apache.org: encountered
 unrecognized mechanism during SPF processing of domain of jlk@stratosec.co)
Received: from [216.32.181.183] (HELO ch1outboundpool.messaging.microsoft.com)
 (216.32.181.183)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Dec 2012 01:12:47 +0000
Received: from mail32-ch1-R.bigfish.com (10.43.68.253) by
 CH1EHSOBE015.bigfish.com (10.43.70.65) with Microsoft SMTP Server id
 14.1.225.23; Thu, 13 Dec 2012 01:12:26 +0000
Received: from mail32-ch1 (localhost [127.0.0.1])	by mail32-ch1-R.bigfish.com
 (Postfix) with ESMTP id D0CD33201B3	for
 <cloudstack-dev@incubator.apache.org>; Thu, 13 Dec 2012 01:12:26 +0000 (UTC)
X-Forefront-Antispam-Report: 
 CIP:157.56.242.197;KIP:(null);UIP:(null);IPV:NLI;H:BL2PRD0512HT002.namprd05.prod.outlook.com;RD:none;EFVD:NLI
X-SpamScore: -1
X-BigFish: 
 PS-1(zz98dI9371Ic85fh542I1432Izz1de0h1d18h1202h1e76h1d1ah1d2ah1082kzz177df4h17326ah8275bh8275dh1954cbhz2dh2a8h668h839hd25he5bhf0ah1288h12a5h12bdh137ah139eh1441h1504h1537h162dh1631h1662h1758h1155h)
Received: from mail32-ch1 (localhost.localdomain [127.0.0.1]) by mail32-ch1
 (MessageSwitch) id 1355361144956164_31419; Thu, 13 Dec 2012 01:12:24 +0000
 (UTC)
Received: from CH1EHSMHS036.bigfish.com (snatpool3.int.messaging.microsoft.com
 [10.43.68.229])	by mail32-ch1.bigfish.com (Postfix) with ESMTP id E00852E0054
	for <cloudstack-dev@incubator.apache.org>; Thu, 13 Dec 2012 01:12:24 +0000
 (UTC)
Received: from BL2PRD0512HT002.namprd05.prod.outlook.com (157.56.242.197) by
 CH1EHSMHS036.bigfish.com (10.43.69.245) with Microsoft SMTP Server (TLS) id
 14.1.225.23; Thu, 13 Dec 2012 01:12:24 +0000
Received: from 61.87.208.web-pass.com (208.87.61.29) by pod51010.outlook.com
 (10.255.233.35) with Microsoft SMTP Server (TLS) id 14.16.245.2; Thu, 13 Dec
 2012 01:12:23 +0000
From: John Kinsella <jlk@stratosec.co>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_8FEC84DE-48DA-4DCB-9A26-0C376906EC63"
Message-ID: <0889AA2F-F5DF-4633-88DB-9FD4A8ACB961@stratosec.co>
MIME-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Subject: Re: [DISCUSS] CloudStack Marketplace Update
Date: Wed, 12 Dec 2012 17:12:21 -0800
References: 
 <7A92FF96DF135843B4B608FB576BFC3E012DA27F42D3@SJCPMAILBOX01.citrite.net>
 <CA+96GG5WtrxkyEsBCN4=_iztU8ZA9opLJPYsxgbDw1zrUFbOEQ@mail.gmail.com>
 <4F8072AF-F588-492D-BA38-093460F660AF@gmail.com>
 <7A92FF96DF135843B4B608FB576BFC3E012DA27F449A@SJCPMAILBOX01.citrite.net>
 <CAKprHVb5cXzcuq2_6MiM0YJfdvWLFWu=EeCh5Uu-9MXYUY_O-g@mail.gmail.com>
 <7A92FF96DF135843B4B608FB576BFC3E012DA27F44DC@SJCPMAILBOX01.citrite.net>
To: <cloudstack-dev@incubator.apache.org>
In-Reply-To: 
 <7A92FF96DF135843B4B608FB576BFC3E012DA27F44DC@SJCPMAILBOX01.citrite.net>
X-Mailer: Apple Mail (2.1499)
X-Originating-IP: [208.87.61.29]
X-OriginatorOrg: stratosec.co
X-Virus-Checked: Checked by ClamAV on apache.org

--Apple-Mail=_8FEC84DE-48DA-4DCB-9A26-0C376906EC63
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"

Repeating my previous comments - if Citrix wants to host a repository of =
images for a CloudStack Marketplace, they can do whatever they wish. =
These should not be listed in the default ACS install.

Please remember Apache CloudStack !=3D Citrix.

On Dec 12, 2012, at 5:09 PM, Jie Feng <Jie.Feng@citrix.com>
 wrote:

> David, your comments just inspired another idea.=20
>=20
> Citrix has a Citrix Ready program where our partners are certified. I =
think many other companies might have similar programs. And there are =
committers in the CloudStack community working for these companies with =
the partners. At least we are comfortable with the quality of these =
partner products not to have virus. We are not asking for these =
companies to be legally responsible for anything their partners produce.
>=20
> Are we comfortable as a community to bring these partners' products in =
through our committers as a starting point for building an Apache =
listing repository? The listings will be limited, but at least we have =
something to start with.
>=20
> Jie
>=20
>> -----Original Message-----
>> From: David Nalley [mailto:david@gnsa.us]
>> Sent: Wednesday, December 12, 2012 4:55 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Re: [DISCUSS] CloudStack Marketplace Update
>>=20
>>> 2. How do we validate that the image templates are solid and no =
virus?
>>> [Jie] In my opinion, it is impossible for the Apache CloudStack =
community to
>> take on the burden to validate image templates. Otherwise we have to
>> validate each image, including every patch revision and sign them by =
crypto
>> key. We can only go as far as validating the listing metadata and =
scripts
>> appear/run correctly in Marketplace UI. If validity of the image is a =
major
>> concern for the community, we have to do the listing repository =
outside of
>> the community.
>>>=20
>>=20
>> This is the deal breaker IMO.
>> Making this the Apache CloudStack marketplace attaches the brand to =
the
>> marketplace.
>> Amazon has seen a number of malicious AMIs uploaded and made =
available
>> as community images, so there is clearly precedent.
>> The Apache name/brand also has a number of expectations in the open
>> source world around licensing, and without validation that =
expectation would
>> clearly not be met.
>> Finally there is the issue of whether folks uploading listings even =
have the
>> authority/permission to distribute the software on the images that =
they
>> have. Without some degree of accountability this would be a legal =
nightmare.
>> I can't imagine that Citrix would run a Marketplace and allow its =
name/brand
>> to run the risk of the being sullied by random individuals uploading =
links to
>> unvalidated content, so I am somewhat perplexed that the assumption
>> would be that Apache CloudStack would tolerate this.
>>=20
>> --David
>=20

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella


--Apple-Mail=_8FEC84DE-48DA-4DCB-9A26-0C376906EC63--