Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CC895D69E for ; Thu, 13 Dec 2012 01:27:52 +0000 (UTC) Received: (qmail 17432 invoked by uid 500); 13 Dec 2012 01:27:52 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 17403 invoked by uid 500); 13 Dec 2012 01:27:52 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 17393 invoked by uid 99); 13 Dec 2012 01:27:52 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Dec 2012 01:27:52 +0000 X-ASF-Spam-Status: No, hits=-1.6 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [74.125.149.151] (HELO na3sys009aog124.obsmtp.com) (74.125.149.151) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Dec 2012 01:27:44 +0000 Received: from mail-la0-f69.google.com ([209.85.215.69]) (using TLSv1) by na3sys009aob124.postini.com ([74.125.148.12]) with SMTP ID DSNKUMku+O9bPWu89M9Ukqfa3pKDAzDV1ldI@postini.com; Wed, 12 Dec 2012 17:27:23 PST Received: by mail-la0-f69.google.com with SMTP id w12so1006074lag.0 for ; Wed, 12 Dec 2012 17:27:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding:x-gm-message-state; bh=6zxcUUqW0yznyI0ddzFTGH/y5hY3HCsZ/qiFogpnNKY=; b=jia945nZfR5GERRK9UKijt9vI+tLX29chfRWrCrhi9y/+a8agsF5TY/Jp7dsxGR6Al IlHPOpF21fuPxakKhOp3tE7AC0zVj+gG2qt3kUhLz3RM+Pgl1eZyP5uBYemb9Pv89km7 bqevifxMR2a98fcMPvKHRANjEmsIKDaOqVWfgUC5eEazbvEMPv7OrVqgC4mW/+lGmaOD 4uQ7W57Qoj1tX71zYmS8kyBloK5DrrSWmS+KYbYDngPKsmvIZYop8Jjt5H2iSOfeo/+G aSJh/AUPbglSQxL9EVYwBXNrxxPgvnXaKp/E+1J00KN/yZbBxK/cpiLQTQhDdJtkJj2J oKVA== Received: by 10.180.90.106 with SMTP id bv10mr172658wib.12.1355362038813; Wed, 12 Dec 2012 17:27:18 -0800 (PST) MIME-Version: 1.0 Received: by 10.180.90.106 with SMTP id bv10mr172655wib.12.1355362038724; Wed, 12 Dec 2012 17:27:18 -0800 (PST) Received: by 10.194.137.194 with HTTP; Wed, 12 Dec 2012 17:27:18 -0800 (PST) In-Reply-To: <7A92FF96DF135843B4B608FB576BFC3E012DA27F44E3@SJCPMAILBOX01.citrite.net> References: <7A92FF96DF135843B4B608FB576BFC3E012DA27F42D3@SJCPMAILBOX01.citrite.net> <4F8072AF-F588-492D-BA38-093460F660AF@gmail.com> <7A92FF96DF135843B4B608FB576BFC3E012DA27F449A@SJCPMAILBOX01.citrite.net> <7A92FF96DF135843B4B608FB576BFC3E012DA27F44DC@SJCPMAILBOX01.citrite.net> <0889AA2F-F5DF-4633-88DB-9FD4A8ACB961@stratosec.co> <7A92FF96DF135843B4B608FB576BFC3E012DA27F44E3@SJCPMAILBOX01.citrite.net> Date: Wed, 12 Dec 2012 20:27:18 -0500 Message-ID: Subject: Re: [DISCUSS] CloudStack Marketplace Update From: Chip Childers To: "cloudstack-dev@incubator.apache.org" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQktJQ0LjKObfyIBwhJH9qZJLGelmWxtjqtAhvFdwSFbFRVpwooJ+TsP54ldpxOmblPBdVsb5438n3j1/muDGttp+1fK6aWjmmyx/hUxI6iIbrRPHkjZih7AziS5ySE7WViZFjrDZGQmoHW2z+f/YhDdWET1esPKRbzlArJUenWmPOPFI0If7sKcZBORm5Oog4Rq0pSF X-Virus-Checked: Checked by ClamAV on apache.org On Wed, Dec 12, 2012 at 8:22 PM, Jie Feng wrote: > Comments inline. > >> -----Original Message----- >> From: John Kinsella [mailto:jlk@stratosec.co] >> Sent: Wednesday, December 12, 2012 5:12 PM >> To: cloudstack-dev@incubator.apache.org >> Subject: Re: [DISCUSS] CloudStack Marketplace Update >> >> Repeating my previous comments - if Citrix wants to host a repository of >> images for a CloudStack Marketplace, they can do whatever they wish. The= se >> should not be listed in the default ACS install. >> >> Please remember Apache CloudStack !=3D Citrix. > > I am talking about an Apache listing repository. I am using Citrix as an = example. All of our committers who work with CloudStack partners can bring = in our validated partner listings. I am simply trying to leverage what we a= re already doing outside of the community and bring the benefits in. -1 (binding) I am not confortable with the Apache CloudStack project making any assumptions about external organizations, and their various "certification" programs. Organizations have no standing with the ASF, and therefore the employer of our contributors should not affect their trust of some external organization for project purposes. At a bare minimum, if this marketplace idea is to move forward, we need to think about it in terms of code that can be used to provide marketplace services, but not as an "Apache" service. >> >> On Dec 12, 2012, at 5:09 PM, Jie Feng >> wrote: >> >> > David, your comments just inspired another idea. >> > >> > Citrix has a Citrix Ready program where our partners are certified. I = think >> many other companies might have similar programs. And there are >> committers in the CloudStack community working for these companies with >> the partners. At least we are comfortable with the quality of these part= ner >> products not to have virus. We are not asking for these companies to be >> legally responsible for anything their partners produce. >> > >> > Are we comfortable as a community to bring these partners' products in >> through our committers as a starting point for building an Apache listin= g >> repository? The listings will be limited, but at least we have something= to >> start with. >> > >> > Jie >> > >> >> -----Original Message----- >> >> From: David Nalley [mailto:david@gnsa.us] >> >> Sent: Wednesday, December 12, 2012 4:55 PM >> >> To: cloudstack-dev@incubator.apache.org >> >> Subject: Re: [DISCUSS] CloudStack Marketplace Update >> >> >> >>> 2. How do we validate that the image templates are solid and no viru= s? >> >>> [Jie] In my opinion, it is impossible for the Apache CloudStack >> >>> community to >> >> take on the burden to validate image templates. Otherwise we have to >> >> validate each image, including every patch revision and sign them by >> >> crypto key. We can only go as far as validating the listing metadata >> >> and scripts appear/run correctly in Marketplace UI. If validity of >> >> the image is a major concern for the community, we have to do the >> >> listing repository outside of the community. >> >>> >> >> >> >> This is the deal breaker IMO. >> >> Making this the Apache CloudStack marketplace attaches the brand to >> >> the marketplace. >> >> Amazon has seen a number of malicious AMIs uploaded and made >> >> available as community images, so there is clearly precedent. >> >> The Apache name/brand also has a number of expectations in the open >> >> source world around licensing, and without validation that >> >> expectation would clearly not be met. >> >> Finally there is the issue of whether folks uploading listings even >> >> have the authority/permission to distribute the software on the >> >> images that they have. Without some degree of accountability this wou= ld >> be a legal nightmare. >> >> I can't imagine that Citrix would run a Marketplace and allow its >> >> name/brand to run the risk of the being sullied by random individuals >> >> uploading links to unvalidated content, so I am somewhat perplexed >> >> that the assumption would be that Apache CloudStack would tolerate >> this. >> >> >> >> --David >> > >> >> Stratosec - Secure Infrastructure as a Service >> o: 415.315.9385 >> @johnlkinsella > >