[lsb-discuss] Some thoughts about the recent packaging discussion

Wichmann, Mats D mats.d.wichmann at intel.com
Mon Mar 3 16:16:44 PST 2008

lsb-discuss-bounces at lists.linux-foundation.org wrote:
>> The sad fact of the matter is that ISV's that have these issues have
>> just already told their customers.  "Disable SELinux and try again."
> And the smart customers are telling them to go ****
> themselves. Some day
> the conduct of ISVs with that attitude will qualify as "gross
> negligence" and with my security hat on the sooner the better.
> When it comes to sloppy ISV practice then I'm going to work
> for and with *the customers*, and where neccessary for
> good security practice for and with the people in 
> governments around the world who are today putting
> together frameworks to make damn sure software 
> vendors can't keep escaping product liability. 

I find myself with Alan on this one - I think whatever
LSB does ought to have a checkmark for distros to sign
off that they agree it's not something that risks delaying
the implementation of improved security practices - I 
sure don't want to facilitate more of the "just turn off 
selinux, it's inconvenient" stuff.

Seems like "Berlin" had its genesis in *customers* - users
(administrators, if you prefer) who were unhappy that
some of the software they've installed is manageable
through system tools and some of it is invisible to
those tools because it evaded the package system.

Meanwhile, ISVs are evading the package system because
(a) it's hard, (b) it isn't easy to provide a consistent
unser installation experience, especially if there's
a cross-OS (that is, much more than Linux) consideration.
And of course, the design of rpm in particular makes
it tough for anything that asks questions, because the
rpm design requires installation to be able to happen
non-interactively. (there are more reasons why package
systems are being avoided, they've been pretty well
listed here already)

More information about the lsb-discuss mailing list