Hi Ido,
If I might chime in, I am a bit worried about all the automatic installation going on in galaxy, and it seems that the trend is to enhance this. A small R or python script calling into well known libraries that come from well known repositories (bioconductor etc… ) I can check. (Of course I install too much stuff from github, bioconductor etc… without checking).
Yes, these are huge security concerns and every admin is advised to check the code beforehand. In case of binaries its hard or not possible at al. That's one reason I want to discuss that issue.
I'm not sure it is comparable to a entire Linux distribution, its more like an Appstore, like pypi, bioconductor or gems, and yes that is
The app stores are checked by Apple or google for malicious code, the apps are sandboxed. There are many eyes for python, bioconductor packages and gems because much more people interact with them directly compared to galaxy-tools.
Sure, the Galaxy Tool Shed is slowly getting there. The IUC (Intergalactic Utilities Commission) was founded in the end of 2012 and should be something like a reviewing instance for tools.
Sorry maybe I was misleading. I only want a central storage for binaries/tarballs where the source can not be trusted for long term. 'long term' and 'trusted' needs to be defined in such a discussion here. I do not think we should copy python packages that are stored in pypi. We should make it easy as possible to install them in our repository. If you do not trust pypi, we can offer a mirror. Some goes for gems.
Trusted for me means I trust the source not having dangerous code. I trust pypi more than some mirror, bioconductor base packages from more than some freshly published package that few people have used, tools from galaxy core developers more than from tool-shed etc… I know this is not the type of trust you were talking about.
That is, its twofold. One to trust the source to not infiltrate the system or do any harm, the other part is to trust the availability of data. Both are important imho. Cheers, Bjoern
best, ido