incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: [DISCUSS] CloudStack Marketplace Update
Date Thu, 13 Dec 2012 00:54:31 GMT
> 2. How do we validate that the image templates are solid and no virus?
> [Jie] In my opinion, it is impossible for the Apache CloudStack community to take on
the burden to validate image templates. Otherwise we have to validate each image, including
every patch revision and sign them by crypto key. We can only go as far as validating the
listing metadata and scripts appear/run correctly in Marketplace UI. If validity of the image
is a major concern for the community, we have to do the listing repository outside of the
community.
>

This is the deal breaker IMO.
Making this the Apache CloudStack marketplace attaches the brand to
the marketplace.
Amazon has seen a number of malicious AMIs uploaded and made available
as community images, so there is clearly precedent.
The Apache name/brand also has a number of expectations in the open
source world around licensing, and without validation that expectation
would clearly not be met.
Finally there is the issue of whether folks uploading listings even
have the authority/permission to distribute the software on the images
that they have. Without some degree of accountability this would be a
legal nightmare.
I can't imagine that Citrix would run a Marketplace and allow its
name/brand to run the risk of the being sullied by random individuals
uploading links to unvalidated content, so I am somewhat perplexed
that the assumption would be that Apache CloudStack would tolerate
this.

--David

Mime
View raw message