/me notes the mixed public and private lists > > I.e. assume you're a developer or sysadmin who is *not* an Apache > committer. You know you need to get a software project management tool > for the linux machines you maintain, and you've heard of something > called "Maven". > > - What is the actual process by which you'd find out how to get this > software (i.e. you'd search for it), and how you'd actually install it? >
If I wanted to install maven, I'd do: yum install maven3 or apt-get install maven > - How would you normally detect if you're getting the original "Maven" > software, versus some different software - either a different vendor's > version, or perhaps a bogus version with adware in it, or perhaps some > non-standard version that is apparently popular, but is *not* the > "default" version used on your platform? So some of this is choice. By default your distribution is going to have package repositories enabled for software the distribution packages. So if the distribution packages the software, you presumably trust the distribution to provide you with legitimate software. (if you can't trust your kernel and things like binutils, why bother worrying about anything else) The distributions sign their packages, and the package management system verifies that signature prior to installation. Third parties (to the distribution) may also provide package repositories. Cassandra, for instance, does this. They have a debian package repository for the various versions of Cassandra. You can manually configure your system to access that package repository, configure it to trust the published signing key, and then things like 'apt-get install cassandra' work, and you get cassandra from a third party repository (in this case from the project itself) Of course, anyone could setup a package repository - Shapeblue for instance has done that for CloudStack - they run a package repository and ship RPM and deb packages from it of Apache CloudStack. http://www.shapeblue.com/packages/ How do you know they haven't tampered with it or modified it heavily? You don't - they aren't providing the source packages, so know way of knowing how they are built. --David > > * Separately: does anyone have links to any trademark/branding policy > pages that common package managers have out there? I'm wondering what > policy or best practices that are *clearly documented* is already out > there for the actual linux distros or package management systems is. > The only folks that I know of that have a policy explicitly dealing with this is Mozilla. Their is a lot of drama within the distributions about how this is/was handled. https://www.mozilla.org/en-US/foundation/trademarks/policy/ (read down to the software distribution section) Essentially, Mozilla says that you may distribute your own compiled version of their software, using their marks, only if it is built from unaltered source. In practice this is a bit more difficult. Having packaged software for Fedora and a few other distributions, it's not uncommon to need to patch something. Sometimes it's environment related (your stuff won't build with the latest glibc), sometimes it's related to how things gets built. In Mozilla's case, they require approval of any patches applied to source, before it's distributed. Debian decided it was too much, and not free enough, and thus we have Iceweasel and Icedove instead of Firefox and Thunderbird. --David --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
