[ubuntu-za] Edgy CDs for the community

Morgan Collett morgan at penguinlabs.net
Fri Mar 9 09:51:35 GMT 2007 

Gustav H Meyer wrote:
> On 3/9/07, Morgan Collett <morgan at penguinlabs.net> wrote:
>   
>> The subject of LoCoTeams officially handling the ShipIt process in their
>> country keeps coming up in the global LoCoTeam discussions. Some teams
>> have proposed to handle the whole process including manufacturing (since
>> the artwork is available for the covers etc) - but Canonical's issue is
>> how the finances will be handled in a trustworthy manner.
>>     
>
> My concern would be around the securities of the manufacturing
> process. How can Canonical guarantee that there are no trojan horses
> etc. that somebody could easily slip into the iso before burning to
> cd.
>   
Good point. Many people are burning and distributing, or indeed selling, 
copies - however at their own cost. This includes cover disks on 
magazines, etc. However for Canonical to put their money into it, they 
would need to be sure that the product being distributed is the exact 
product they want.

MD5 hashes do help, but how many of us who know about this already, 
would check the MD5 hash of every CD we are given?

Another issue regarding distributing CDs is that any "official" CDs must 
include the fine print required by the GPL - the offer of the source 
code. The official CDs contain this wording on the back of the cover (in 
suitably small type): "This software is released for free public use 
under several licenses. It is provided without any warranty, without 
even the implied warranty of merchantability or fitness for a particular 
purpose. See the license text included with each program for details. 
Source code for Ubuntu can be downloaded from archive.ubuntu.com or can 
be ordered from Canonical at the cost of the media and shipping." and 
then stuff about trademarks.

I would never bother for CDs that I burned myself, but for a commercial 
process it is necessary as the question arises, here is GPL software in 
binary form. Where is the source for this exact binary?

This stuff is especially important for anybody who modifies the contents 
of the CD or produces a derivative distribution. Where is the repository 
of your source packages for all GPL packages you have added or modified? 
And preferably, where is the revision control so I can see what you 
modified?

Regards
Morgan

More information about the ubuntu-za mailing list