[Dev] Parabola infrastructure server and its hosting.

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Sat Mar 19 11:04:58 GMT 2016


Hi,

Since we have:
-> Highly insecure packages (they are compiled and uploaded by
   individual developers[1], including arch developers[2]).
-> VM issues.
-> Bandwidth and server load issues.

Why not asking some entity like the FSF for a server to build the
packages and host parabola's infrastructure (the bug tracker for
instance).

Since the FSF is located in the US:
-> We can trust the FSF
-> We might not want to trust US's law regarding surveillance.
-> Our packages would have to abide absurd laws such as the DMCA, so we
   would probably need to host packages like libdvdcss outside of the
   US.
-> Since software patents are now very weak in the US, we might want
   not to remove functionality known to be risky patent-wise.
-> We also might want to contact the FSF and/or the SFLC for the legal
   issues.

References:
-----------
[1] Assuming we trust all Parabola developers, that means that the
    developer(s) with the weakest security can be used as a vector to
    compromise all parabola users. Sometimes that can be dead easy.
[2] We can suppose that at least some of the arch developers run
    proprietary software on the machine they used to build the packages
    they uploaded.

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160319/c21c9b7a/attachment.sig>


More information about the Dev mailing list