On 07:53 Fri 09 Nov     , Roy Marples wrote:
> 
> On Thu, 2007-11-08 at 14:25 -0800, Donnie Berkholz wrote:
> > Here is the summary from today's council meeting. The complete log will
> > show up at http://www.gentoo.org/proj/en/council/ shortly.
> 
> 
> 
> > Baselayout-2: uberlord will continue to maintain it
> > ---------------------------------------------------
> 
> > lu_zero asked whether we had anything to do about baselayout-2 since 
> > uberlord resigned. He's continuing to maintain it in a git repository 
> > and will remain upstream for it. More details will emerge over time.
> 
> > kingtaco raised the question of trusting external releases and hosts. 
> > Some responses suggested that using git may prevent the malicious 
> > host, 
> > because of the possibility of GPG-signed tags. He mentioned the 
> > possibility of the infra team hosting Gentoo-critical repositories
> > with 
> > access by non-Gentoo developers. It's just an idea at this point, but 
> > he's going to talk to the rest of the infra team.
> 
> They should be treated in the same way as any other package. Or do you
> trust a gentoo dev MORE than say a gcc/glibc/kernel/bash/foo dev? If so,
> why?
> More to the point, if said dev then joins Gentoo, do you implicitly
> trust that dev more?

I brought up that point during the meeting, if you read the log you'll 
see it. =)

> As I've gone the other way, do you now trust me less? I'd like to know
> why also :)

I don't hold this opinion, but people could bring up later resentment at 
Gentoo for not being able to get your way, etc.

I think we successfully directed any paranoia away from you and in the 
direction of whether wherever a git repo would get hosted is less 
trustable than Gentoo infra.

Could you tell us a bit about what you're thinking for where to host the 
repo?

Thanks,
Donnie
-- 
gentoo-council@g.o mailing list