[ubuntu-za] Edgy CDs for the community
Morgan Collett
morgan at penguinlabs.net
Fri Mar 9 09:51:35 GMT 2007
Gustav H Meyer wrote:
> On 3/9/07, Morgan Collett <morgan at penguinlabs.net> wrote:
>
>> The subject of LoCoTeams officially handling the ShipIt process in their
>> country keeps coming up in the global LoCoTeam discussions. Some teams
>> have proposed to handle the whole process including manufacturing (since
>> the artwork is available for the covers etc) - but Canonical's issue is
>> how the finances will be handled in a trustworthy manner.
>>
>
> My concern would be around the securities of the manufacturing
> process. How can Canonical guarantee that there are no trojan horses
> etc. that somebody could easily slip into the iso before burning to
> cd.
>
Good point. Many people are burning and distributing, or indeed selling,
copies - however at their own cost. This includes cover disks on
magazines, etc. However for Canonical to put their money into it, they
would need to be sure that the product being distributed is the exact
product they want.
MD5 hashes do help, but how many of us who know about this already,
would check the MD5 hash of every CD we are given?
Another issue regarding distributing CDs is that any "official" CDs must
include the fine print required by the GPL - the offer of the source
code. The official CDs contain this wording on the back of the cover (in
suitably small type): "This software is released for free public use
under several licenses. It is provided without any warranty, without
even the implied warranty of merchantability or fitness for a particular
purpose. See the license text included with each program for details.
Source code for Ubuntu can be downloaded from archive.ubuntu.com or can
be ordered from Canonical at the cost of the media and shipping." and
then stuff about trademarks.
I would never bother for CDs that I burned myself, but for a commercial
process it is necessary as the question arises, here is GPL software in
binary form. Where is the source for this exact binary?
This stuff is especially important for anybody who modifies the contents
of the CD or produces a derivative distribution. Where is the repository
of your source packages for all GPL packages you have added or modified?
And preferably, where is the revision control so I can see what you
modified?
Regards
Morgan
More information about the ubuntu-za
mailing list