PackageKit Misconceptions

Owen Taylor otaylor at redhat.com
Wed Aug 22 23:01:54 UTC 2007 

On 8/22/07, Jeff Spaleta <jspaleta at gmail.com> wrote:
> On 8/22/07, Owen Taylor <otaylor at redhat.com> wrote:
> >  A) The information displayed to the user has been audited to be accurate
>
> You have a proposal on  how to do this? I have grave concerns about
> being legally allowed to do this in a centralize way as part of the
> Fedora project.

Now, I have no competence to address the legality, but there is a big
difference between providing a listing of third party repositories as
compared, to, when queried say
"Yes, Joe Smith's Package Repository is in fact an accurate
description of this .repo file"
The latter can even be done without storing *any* information about
Joe Smith's Package Repository on the Fedora repository by instead
storing a GPG keyring of people trusted to do  such audits and sign
the information.

> >  B) We provide some sort of reputation system displayed right along
> > with the question so that you have a basis for an informed decision
>
> Uhm... probably not possible. I seriously doubt that we could
> officially host a ranking of 3rd party sources in fedora controlled
> infrastructure. We go out of our way to not officially communicate
> about 3rd party repos.  I have a very hard time seeing how this is
> going to be integrated into a Fedora experience with the Fedora
> Project acting as the central broker of reputation.

Well, there is one form of reputation system that I'm sure would pass
muster ... a blacklist of known bad sites. But I'm pretty sure you can
go further than that without running legal risks if you have no
listing of sites and no "recommendation", and just display the data
when the user is going to install the .repo file / GPG key. All you
really need to store is:

- Number of times the repo file / GPG key has been installed
- Number of problem reports
- Ability to click and view the problem reports

So you wouldn't be endorsing Joe Smith's Package Repository at all,
but if someone found a link to it, they'd be able to see the stats
that 10,000 other people have installed the package repository, and 10
people have reported problems. People could draw their own conclusion
from that whether it was a safe repository to install. Remember, we
don't need to answer the question "what are cool repos to add", we
just need to answer the question "is this repo that I'm trying to add
safe or not".

- Owen

More information about the Fedora-desktop-list mailing list