incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jie Feng <Jie.F...@citrix.com>
Subject RE: [DISCUSS] CloudStack Marketplace Update
Date Thu, 13 Dec 2012 01:22:53 GMT
Comments inline. 

> -----Original Message-----
> From: John Kinsella [mailto:jlk@stratosec.co]
> Sent: Wednesday, December 12, 2012 5:12 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Re: [DISCUSS] CloudStack Marketplace Update
> 
> Repeating my previous comments - if Citrix wants to host a repository of
> images for a CloudStack Marketplace, they can do whatever they wish. These
> should not be listed in the default ACS install.
> 
> Please remember Apache CloudStack != Citrix.

I am talking about an Apache listing repository. I am using Citrix as an example. All of our
committers who work with CloudStack partners can bring in our validated partner listings.
I am simply trying to leverage what we are already doing outside of the community and bring
the benefits in.

> 
> On Dec 12, 2012, at 5:09 PM, Jie Feng <Jie.Feng@citrix.com>
>  wrote:
> 
> > David, your comments just inspired another idea.
> >
> > Citrix has a Citrix Ready program where our partners are certified. I think
> many other companies might have similar programs. And there are
> committers in the CloudStack community working for these companies with
> the partners. At least we are comfortable with the quality of these partner
> products not to have virus. We are not asking for these companies to be
> legally responsible for anything their partners produce.
> >
> > Are we comfortable as a community to bring these partners' products in
> through our committers as a starting point for building an Apache listing
> repository? The listings will be limited, but at least we have something to
> start with.
> >
> > Jie
> >
> >> -----Original Message-----
> >> From: David Nalley [mailto:david@gnsa.us]
> >> Sent: Wednesday, December 12, 2012 4:55 PM
> >> To: cloudstack-dev@incubator.apache.org
> >> Subject: Re: [DISCUSS] CloudStack Marketplace Update
> >>
> >>> 2. How do we validate that the image templates are solid and no virus?
> >>> [Jie] In my opinion, it is impossible for the Apache CloudStack
> >>> community to
> >> take on the burden to validate image templates. Otherwise we have to
> >> validate each image, including every patch revision and sign them by
> >> crypto key. We can only go as far as validating the listing metadata
> >> and scripts appear/run correctly in Marketplace UI. If validity of
> >> the image is a major concern for the community, we have to do the
> >> listing repository outside of the community.
> >>>
> >>
> >> This is the deal breaker IMO.
> >> Making this the Apache CloudStack marketplace attaches the brand to
> >> the marketplace.
> >> Amazon has seen a number of malicious AMIs uploaded and made
> >> available as community images, so there is clearly precedent.
> >> The Apache name/brand also has a number of expectations in the open
> >> source world around licensing, and without validation that
> >> expectation would clearly not be met.
> >> Finally there is the issue of whether folks uploading listings even
> >> have the authority/permission to distribute the software on the
> >> images that they have. Without some degree of accountability this would
> be a legal nightmare.
> >> I can't imagine that Citrix would run a Marketplace and allow its
> >> name/brand to run the risk of the being sullied by random individuals
> >> uploading links to unvalidated content, so I am somewhat perplexed
> >> that the assumption would be that Apache CloudStack would tolerate
> this.
> >>
> >> --David
> >
> 
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella


Mime
View raw message