Ion3 license violation

Tuomo Valkonen tuomov at iki.fi
Thu Dec 13 02:28:04 PST 2007


On 2007-12-13, Peter Jeremy <peterjeremy at optushome.com.au> wrote:
> I'm not sure how me as an end user not bothering to update my
> installed package for several months differs from me as a package
> distributor failing to update a binary distribution to your latest
> release within 28 days,

As someone who's been using a particular version for some time, you are 
more likely to check for a new version before complaining. New consider
a new _l_user that has just heard of Ion, installing it from a distro that
doesn't keep up-to-date, and running into problems. Aside from lusers 
having no idea that the distro doesn't keep up-to-date, and distributes
old broken development snapshots, running into problems is more likely
after a new install than later on. That's what this is about. 

> In general, FreeBSD only distributes third-party packages in binary format.

Umm.. the ports system is primarily source-based, and you distribute the
sources.

> How will this work if the end user does not have web access or doesn't
> have the resources or desire to compile it?

I did mention that this does not work for binary packages.

> This signature was created using a self-signed key and is therefore
> useless as a mechanism to verify the associated package.  

IRL-based PGP signing customs suck [1]. I don't even know anyone IRL
that would have the slightest interest in using encryption.

  [1]: http://www.iki.fi/tuomov/b/archives/2006/06/25/T00_20_11/

> way to verify that the person who created that signature is the same
> person who wrote the e-mail I am responding to or that either are
> actually the author of the "official" version of Ion-3.

That doesn't matter. What matters is that the _same_ key is used,
after you've initially verified the package.

-- 
Tuomo



More information about the freebsd-ports mailing list