[GRASS-dev] Re: [GRASS-user] Referencias de GRASS 6.3.0 nativo para MS-Windows

Michael Barton michael.barton at asu.edu
Sun Feb 8 12:08:17 EST 2009 

I agree that this could be difficult for an individual open source dev  
team to do (Although I bet the GRASS user/developer community would  
catch, announce, and remove embedded malware very fast). I'm  
suggesting this as something that the large OSGeo umbrella might look  
into as a benefit to member projects. At least for malware, could this  
potentially be done in a semi-automated way for packages on OSGeo  
servers? Although malware can also get into upgrade sites for  
commercial packages, it doesn't seem to happen very often and the  
general perception is that these 'official' sites are clean.

Overall, my experience with major open source packages is that they  
are at least as safe and unproblematic as commercial packages--and  
sometimes considerably better. But the wording of our disclaimers,  
while more realistic perhaps, can put off IT managers. For example,  
the GRASS 6.3 windows package installer has been working fine for a  
year, and 6.3 works fine with Windows XP. Yet this is still listed on  
the GRASS site as the "GRASS Windows-Native Experimental Project".  
There are always issues to fix, but this is far beyond "experimental".

We don't want to make unreasonable claims, but perhaps should think  
more about how we word things so as to be less discouraging to  
potential new users and IT managers.

Michael



On Feb 8, 2009, at 9:52 AM, Glynn Clements wrote:

>
> Michael Barton wrote:
>
>> Along these lines, it might be worth thinking about a bit of a
>> different model for open source disclaimers. They generally say if
>> prominent type that 'hey, you're on your own with this; we're not
>> responsible for anything'. I wonder if we could have some kind of a
>> 'certified malware free' sticker for things acquired from the  
>> official
>> OSGeo site?
>
> Who is going to perform that certification?
>
> GRASS' dependency tree is pretty substantial, particularly when you
> look at e.g. GDAL and ffmpeg. Is someone going to analyse all of those
> dependencies? What if the OSGeo server subsequently gets compromised?
>
> -- 
> Glynn Clements <glynn at gclements.plus.com>

More information about the grass-dev mailing list