incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kelcey Damage \(BT\)" <>
Subject RE: [DISCUSS] CloudStack Marketplace Update
Date Wed, 12 Dec 2012 23:09:58 GMT
>>>Weighing in late here as well.


>>>First guys, appreciate the contribution. All these awesome ideas, we
appreciate the work.


>>>That said, work *has* to happen in The Apache Way.


>>>Now, some comments:


>>>I would strongly recommend separation of code and data. Build Marketplace
into ACS, allow it to be easily enabled/disabled at both the global >>>and
account/user levels. Regarding data, I think the model you should follow
here is that of Eclipse, not maven - as we have a UI, 3rd parties >>>can
provide links to repositories that users can add by pasting the link into a
wizard in the UI. After submission, the repo sends it's public key to
>>>ACS, which stores it for later use. Once a repo is enabled in an ACS
install, offerings are browsable/selectable through the admin console, with
>>>any commerce/tracking/whatever happening outside our application. When a
user selects to download a widget, the repo sends a URL with a >>>mime type
that ACS recognizes means it's for it's own consumption. The downloaded
package contains the widget and a cryptographic >>>signature - ACS then
verifies that signature on the widget via the public key previously


>>>By default, ACS should ship with a basic "marketplace" that contains the
SSVM image and a sample base OS. 


>>>From a security POV, you better have a metric ton of certainty that what
you're providing me is a clean innocent widget. Another reason for >>>this
to happen outside the sphere of ACS. If there's an issue, I don't really
want that affecting the Apache or CloudStack brand because our >>>vetting of
said widget missed something and now some cloud is running 500 copies of a
malicious VM. I don't like that type of front-page >>>coverage.


Again, I completely agree. I would not want to 'trust' that the marketplace
is only selling fully tested code. There should be a measure of seperation
between core ACS, and the marketplace code/integration. The marketplace
should be optional.


>>>The UI looks nice, but it's not maintaining a standard look/feel with the
rest of the app. I think as part of accepting the project, we should
>>>consider enforcing a standardized look/feel, otherwise our baby will turn
into a beast with many arms sticking out of it's head.


Agreed, a standardized theme across our product and our docs, web pressence
is essential for selling a brand. And we all want to increase the CS install





Also has anyone thought of the logistics of hosting/operating an ecommerce
system? Who would be responsible?? What payment GW? Broker? Legalities?



-----Original Message-----
From: Sebastien Goasguen [] 
Sent: Wednesday, December 12, 2012 2:32 PM
Subject: Re: [DISCUSS] CloudStack Marketplace Update



On Dec 12, 2012, at 11:17 PM, Chip Childers <
<>> wrote:


> On Wed, Dec 12, 2012 at 12:45 PM, Jie Feng < <>> wrote:

>> Any inputs from others in the community?  I like to reach some consensus
on where to host the Apache listing repository in the next couple of weeks
(since if we go with option 1, we need to give vendors enough time to put
listings in source code prior to code freeze end of Jan).


>> Jie



> A general observation...


> If this is part of a cloudstack install, then why aren't we simply 

> extending the list of available templates that users can chose from to 

> include those that may start out at a remote location (but may be 

> cached by CloudStack after the first use).  Why not also extend the 

> template meta-data to include optional details like what's provided in 

> the listing material?


> If an admin is already deciding on which templates would be listed in 

> the marketplace, why wouldn't they simply be listed in the global 

> template list?  It seems confusing to have to curate two different 

> sets of templates (marketplace and available for immediate 

> provisioning).


> -chip


Couple thoughts,


A while back when the marketplace idea came up, I mentioned the opennebula
marketplace. It may be good to have a look at it again:


Basically it is a service, external to an opennebula deployment, that an
admin can point to, in order to offer users templates published by the
community. The marketplace itself only manages meta-data associated with
each image.


In my mind, I see it as a separate project. I probably don't understand the
entire concept of the existing proposal for the CS marketplace, but having
"vendor" information in our Apache code base is worrisome.


PS: BTW, A huge issue with marketplaces is how to trust images. How do you
vet an image ?




  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message