1 |
Richard Freeman <rich0@g.o> said: |
2 |
> AllenJB wrote: |
3 |
> > All that's going to happen is Gentoo will have many many buggy and |
4 |
> > out of date packages in the MAIN TREE. Exactly where they shouldn't |
5 |
> > be. You claim quality won't be sacrificed, but I simply can't see |
6 |
> > this without any attempt to solve the manpower issues first. |
7 |
> > |
8 |
> > Isn't the purpose of this project already somewhat covered by |
9 |
> > Sunrise? |
10 |
> |
11 |
> I have to agree with your points. We need to have quality standards |
12 |
> for packages. Currently we have a couple of tiers: |
13 |
> |
14 |
> 1. Main tree - every ebuild has an official maintainer and gets prompt |
15 |
> security updates/etc. New features might get a little more stale, but |
16 |
> you aren't going to be running at risk if you only use the main tree |
17 |
> and routinely emerge -u world. If a package falls behind on security |
18 |
> it gets masked and booted. |
19 |
> |
20 |
> 2. Overlays - you're on your own and at the general mercy of the |
21 |
> overlay maintainer. |
22 |
> |
23 |
> 3. Sunrise (just a special case of an overlay) - somewhere in-between. |
24 |
> Again, you have to opt-in. |
25 |
> |
26 |
|
27 |
AFAIK, we have never explicitly made this distinction clear. if we had, we |
28 |
would have to remove stuff from portage which doesnt live up to the |
29 |
standards. |
30 |
|
31 |
it is also not true from a more real world perspective: there are many |
32 |
packages in portage that have a standard which is much lower than what is |
33 |
in some overlays. and there are many packages in overlays which live up to |
34 |
a quality standard way above portage's average. |
35 |
|
36 |
if you want to exaggerate a bit, we have roughly 500 ebuilds in portage |
37 |
which are maintainer-needed and have only a few users and thats why you |
38 |
want to keep popular packages out of the tree? |
39 |
|
40 |
its weird, how this whole thing started with wanting to accomodate our |
41 |
users better and then other people come around and argue against it in |
42 |
order to protect our users... |
43 |
user who want protection run stable arch! |
44 |
|
45 |
given the current state of the tree, its hypocritical to be against this |
46 |
proposal, IMHO. |
47 |
|
48 |
however, one could try to implement the above quality standards, possibly |
49 |
by splitting up the tree. |
50 |
|
51 |
this issue, as well as some others very similar to this one, have come up |
52 |
many times before. I suggest we do something about it... (splitting the |
53 |
tree or moving more stuff wholesale into portage and have a better rating |
54 |
system... whatever) |
55 |
|
56 |
Fedora is a much more current distribution than Gentoo - and has been for |
57 |
a couple of years... |
58 |
|
59 |
regards |
60 |
Thilo |
61 |
|
62 |
> I think that we still need to have defined levels of quality, so if we |
63 |
> start putting unmaintained stuff in the main tree then we absolutely |
64 |
> need to preserve a mechanism for users to indicate what level of |
65 |
> quality they desire. Users running a typical install shouldn't |
66 |
> inadvertently have dependencies pulled in which aren't fully controlled |
67 |
> for security issues. |
68 |
> |
69 |
> Could something like sunrise be integrated into the main tree? Sure. |
70 |
> However, there would need to be lots of rules and QA checks like |
71 |
> non-sunrise packages not depending on sunrise packages and the sunrise |
72 |
> packages are somehow clearly marked. Maybe even an ACCEPT_QUALITY = |
73 |
> "good-luck-with-that" setting or something like that in make.conf. We |
74 |
> might also need tiered levels of security in cvs. I'm not convinced |
75 |
> that in the end it will be any better than just having those who are |
76 |
> interested add an overlay to their tree. |
77 |
> |
78 |
> Maybe a better option would be a way to make overlays more seamless. |
79 |
> Additionally we could have rating categories for overlays like |
80 |
> "security responsiveness," "currency with upstream," etc. The gentoo |
81 |
> project would ask overlays to declare their policies as a condition of |
82 |
> being accessible via the seamless interface, and would drop overlays if |
83 |
> they don't follow their policies. It would still be easy for users to |
84 |
> pick non-standard overlays but it would be clear that they are |
85 |
> venturing off on their own if they do this (just as is the case with |
86 |
> layman today). |
87 |
> |
88 |
> Sure, I'd love to see an extra 1000 supported packages in portage, but |
89 |
> the key is "supported", not just shoveled-in. |