[Sugar-devel] [sugar] [Proposal] .xot bundles, for translations

Martin Langhoff martin.langhoff at gmail.com
Mon Dec 8 11:01:43 EST 2008


On Mon, Dec 8, 2008 at 1:50 PM, Sayamindu Dasgupta <sayamindu at gmail.com> wrote:
> Does that work ?

How do we trust that the setup.py is not malicious? Part of what I am
suggesting when I talk about rpm files that have no %post/%pre etc
(and therefore can be installed with --no-scripts) is that we can
reasonably trust that the contents are not maliciously active. (Note
that this needs a few additional checks to be effective.)

If we say that we'll auto-execute a setup.py we have

 - less security
 - no versioning
 - no tracking of what file belongs to what pkg

In other words, I like your original plan :-) -- packaging has a lot
of good reasons. It also has its warts, but they are know and we can
work with them.

cheers,



m
-- 
 martin.langhoff at gmail.com
 martin at laptop.org -- School Server Architect
 - ask interesting questions
 - don't get distracted with shiny stuff  - working code first
 - http://wiki.laptop.org/go/User:Martinlanghoff


More information about the Sugar-devel mailing list