[OpenIndiana-discuss] pkg security and incentives?

[Till Wegmüller]

Hi Reg

We do handle Maintenance and and security updates for people. 
Technically you can have multiple repos linked to your system but in 
practice it's only ever the main openindiana.org one. And packages from 
there are always source built on the OpenIndiana build server and only 
from there. In the Future we would also like to provide ephemeral build 
zones that are spawned from a template and then destroyed. So it gets 
really hard to backdoor those machines like in the XZ case. Other ideas 
to make that spawning process happen are heartly welcome. But in short, 
we do not accept binary packages only source and recipes and then build 
them from a decently secure system for people.

Hope this helps
-Till

On 18.08.25 21:44, Reginald Beardsley via openindiana-discuss wrote:
> I'm happy to build packages for things I use that don't already have pkgs. However, it raises the issue of "On Trusting Trust".  I've generally not been enthusiastic about binary packages because it's so easy to Trojan or backdoor one.
> How does OI deal with that?  This is why I have, until very recently, built from source.  Linux made doing that fairly absurd with all the dependencies and as I was just using Linux on a test system for email  I started slacking.  Time to stop.
> As an incentive, how about a lottery?  People who build things for their own use and supply an IPS pkg get a ticket in an annual lottery for each pkg they contribute and the prize is of the order of 1000 Euros.
> Have Fun!Reg
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss