[Xapian-discuss] How can I trust the xapian openSUSE packages?

Gregor Schmid gschmidx at qfs.de
Mon Nov 19 21:59:10 GMT 2007 

Hello Olly,

thanks a lot for your reply. Please see inline comments.

Olly Betts <olly at survex.com> writes:

> On Mon, Nov 19, 2007 at 06:58:47PM +0100, Gregor Schmid wrote:
> > The SUSE RPMs for xapian are provided on the openSUSE build service
> > and though I'm pretty sure that they were placed there by some of the
> > xapian developers, it is not clear how our provider can verify that.
> 
> Assuming you mean those linked to from the download page on xapian.org,

Correct.

> they aren't maintained by any Xapian developers, 

I see.

> but I think those
> responsible are SuSE developers (3 of the 4 listed on the build service
> have @novell.com email addresses at least).  I believe some of them read
> this list.

It would be great to get a response from one or more of them. BTW,
where can I find the info who has (supposedly) created a package
available from the build service? I've browsed the site for a while
now, but haven't found anything like that.

Hold on, I just found a name in the changelog section of the packages
with a suse.de address. Thus it seems that Marcus Rueckert is the
maintainer. I saw some of his posts in the list archive.

And just while I'm writing this mail, Marcus' response came in also :-)
 
> I also have an account on their buildservice which I use for testing
> builds, but these aren't intended for public consumption.
> 
> > On the Build Service website there is talk about a trust relationship
> > and a rating mechanism, but none of this seems to be implemented.
> 
> I don't know about this.
> 
> > If there's no such mechanism, would it possible for you to assist
> > verification by, for example, publishing an MD5 hash for the latest
> > packages on the xapian.org website? Our provider would be willing to
> > trust a package downloaded directly from the authors, i.e.
> > www.xapian.org and posting such a hash for externally provided
> > packages could create the same level of trust for those.
> 
> I don't have a way to easily verify the contents of those packages, so
> publishing a hash for them on xapian.org wouldn't actually provide a
> valid reason for trusting them more than you would otherwise.

Of course, if the creator of those packages is not affiliated with
xapian.org that suggestion doesn't make sense.

> > Ideas, alternative suggestions, fedback from other users of the xapian
> > SUSE RPMs etc. would be greatly appreciated.
> 
> If they're only willing to trust downloads from xapian.org, building from
> source seems the obvious approach - there's a spec file in each tarball
> so rpmbuild can work directly from them.  I can see hosting companies
> not being so keen on that though.

Yes, that's one of the obvious solutions. But of course, effort is an
issue here since they don't have any interest of their own in
installing the packages. Worse, that would mean that they'd have to
take on the responsibility for keeping the package up-to-date and
react quickly whenever a security issue in xapian or omega is
discovered.

> Or find a provider who offers virtual servers - that way installing
> packages for you doesn't effect other users.

Good suggestion, but that's not really an option, I'm afraid.

Best regards,
    Greg

More information about the Xapian-discuss mailing list