thanks a lot for your reply. Please see inline comments.
Olly Betts <firstname.lastname@example.org> writes:
On Mon, Nov 19, 2007 at 06:58:47PM +0100, Gregor Schmid wrote:
The SUSE RPMs for xapian are provided on the openSUSE build service
and though I'm pretty sure that they were placed there by some of the
xapian developers, it is not clear how our provider can verify that.
Assuming you mean those linked to from the download page on xapian.org, Correct.
they aren't maintained by any Xapian developers, I see.
but I think those
responsible are SuSE developers (3 of the 4 listed on the build service
have @novell.com email addresses at least). I believe some of them read
It would be great to get a response from one or more of them. BTW,
where can I find the info who has (supposedly) created a package
available from the build service? I've browsed the site for a while
now, but haven't found anything like that.
Hold on, I just found a name in the changelog section of the packages
with a suse.de address. Thus it seems that Marcus Rueckert is the
maintainer. I saw some of his posts in the list archive.
And just while I'm writing this mail, Marcus' response came in also :-)
I also have an account on their buildservice which I use for testing
builds, but these aren't intended for public consumption.
On the Build Service website there is talk about a trust relationship
and a rating mechanism, but none of this seems to be implemented.
I don't know about this.
If there's no such mechanism, would it possible for you to assist
verification by, for example, publishing an MD5 hash for the latest
packages on the xapian.org website? Our provider would be willing to
trust a package downloaded directly from the authors, i.e.
www.xapian.org and posting such a hash for externally provided
packages could create the same level of trust for those.
I don't have a way to easily verify the contents of those packages, so
publishing a hash for them on xapian.org wouldn't actually provide a
valid reason for trusting them more than you would otherwise.
Of course, if the creator of those packages is not affiliated with
xapian.org that suggestion doesn't make sense.
Ideas, alternative suggestions, fedback from other users of the xapian
SUSE RPMs etc. would be greatly appreciated.
If they're only willing to trust downloads from xapian.org, building from
source seems the obvious approach - there's a spec file in each tarball
so rpmbuild can work directly from them. I can see hosting companies
not being so keen on that though.
Yes, that's one of the obvious solutions. But of course, effort is an
issue here since they don't have any interest of their own in
installing the packages. Worse, that would mean that they'd have to
take on the responsibility for keeping the package up-to-date and
react quickly whenever a security issue in xapian or omega is
Or find a provider who offers virtual servers - that way installing
packages for you doesn't effect other users.
Good suggestion, but that's not really an option, I'm afraid.