| 1 |
* Nirbheek Chauhan <nirbheek@g.o> schrieb: |
| 2 |
|
| 3 |
> > Thats not even necessary. They just should use the infrastructure, |
| 4 |
> > as described in my paper. So everyone can easily set up automatic |
| 5 |
> > notifications, cherry-pick, etc, etc. |
| 6 |
> |
| 7 |
> Why should we? |
| 8 |
|
| 9 |
To make tracking and applying other's changes much easier. |
| 10 |
Currently it's quite work intensive to do so. |
| 11 |
|
| 12 |
If - hypothetically - everyone work within an git repo, using a |
| 13 |
normalized naming/versioning scheme, it is trivial to set some |
| 14 |
little tracking system, informing package maintainers if something |
| 15 |
happens (new upstream, new patches from distro XYZ, etc). And |
| 16 |
we can inspect that easily, take patches, etc, etc, using |
| 17 |
standard git tools. |
| 18 |
|
| 19 |
> I am *yet* to see a single reason for us to change how we work |
| 20 |
> other than "please use this since I've been putting a lot of |
| 21 |
> effort into it". |
| 22 |
|
| 23 |
I have no intention to urge you to use my approach, I'm just |
| 24 |
offering you my works, nothing more. |
| 25 |
|
| 26 |
> >> On a technical level, it's got serious security, trust, and |
| 27 |
> >> redundancy problems. |
| 28 |
> > |
| 29 |
> > Git makes that very easy ;-p |
| 30 |
> > |
| 31 |
> |
| 32 |
> No, it does not. The security problems come because you are the single |
| 33 |
> point of failure. |
| 34 |
|
| 35 |
Which SPOF ? |
| 36 |
|
| 37 |
man 1 git-cone ;-p |
| 38 |
|
| 39 |
> The trust problems come because we have no reason to trust you. |
| 40 |
|
| 41 |
You dont have to trust me. Just let me point out some possible |
| 42 |
leak points (if I missed some, feel free to add them ...): |
| 43 |
|
| 44 |
a) repository manipulation (directly changing objects): will |
| 45 |
be found out by git-gc. |
| 46 |
|
| 47 |
b) injecting changed upstream: you can easily compare my UPSTREAM.* |
| 48 |
tags against the real upstream's tarballs or vcs tags. |
| 49 |
|
| 50 |
BTW: as long as not all upstreams sign their releases, our trust |
| 51 |
relies just relies on their server's integrity (and the connection |
| 52 |
to them). |
| 53 |
|
| 54 |
c) manipulated tags: someone, perhaps myself overwrites other's tags |
| 55 |
use signed tags, and check the signatures (easily doable by a |
| 56 |
little shell script |
| 57 |
|
| 58 |
d) some vendor (possibly myself) adds crappy changes: you'll most |
| 59 |
likely have a look at the changes before cherry-picking them. |
| 60 |
|
| 61 |
> The redundancy problems come because if your hosting goes |
| 62 |
> down or you lose interest, we're left high and dry. |
| 63 |
|
| 64 |
That wouldn't affect your clones. You simply won't get anything |
| 65 |
new from my site anymore. |
| 66 |
|
| 67 |
> > If we're doing a good job (my generic fixes instead of distro- |
| 68 |
> > specfic dirty hacks) about 99% can be shared ;-p |
| 69 |
> > |
| 70 |
> |
| 71 |
> I'd advise you to take a look at the sort of patching Ubuntu/Debian |
| 72 |
> does, and then revisit that figure. You'll find it more along the |
| 73 |
> lines of 30%. |
| 74 |
|
| 75 |
I never claimed that Ubuntu does clean and generic fixes. |
| 76 |
|
| 77 |
BTW: Gentoo tends to have similar problems, just look at the zlib ebuild: |
| 78 |
|
| 79 |
|
| 80 |
>> # trust exit status of the compiler rather than stderr #55434 |
| 81 |
>> # -if test "`(...) 2>&1`" = ""; then |
| 82 |
>> # +if (...) 2>/dev/null; then |
| 83 |
>> sed -i 's|\<test "`\([^"]*\) 2>&1`" = ""|\1 2>/dev/null|' configure || die |
| 84 |
>> sed -i -e '/ldconfig/d' Makefile* || die |
| 85 |
|
| 86 |
> >> A practical solution to the problem of patch sharing is to |
| 87 |
> >> have a website with a search interface for upstream source |
| 88 |
> >> tarballs, which can display all the patches that various |
| 89 |
> >> distros apply, as well as a download link for the patchsets |
| 90 |
> >> (hotlinked to the distro files where possible). |
| 91 |
> > |
| 92 |
> > Too complicated, and actually would not help me a single bit. |
| 93 |
> |
| 94 |
> Help *you*? I thought this was about helping the distros. |
| 95 |
|
| 96 |
Yes, I first want to solve my daily business problems, but in a way |
| 97 |
that other folks can benefit from my works. |
| 98 |
|
| 99 |
> >> Distro packagers are much more comfortable with downloading |
| 100 |
> >> patchsets from a foreign source than complete tarballs. |
| 101 |
> > |
| 102 |
> > man git-format-patch ;-p |
| 103 |
> > |
| 104 |
> |
| 105 |
> So why don't you submit that to bugzilla? |
| 106 |
|
| 107 |
Yet too complicated/work intensive to do this for each individual |
| 108 |
distro. It would be a completely different issue, if there was |
| 109 |
some robot interface for that. |
| 110 |
|
| 111 |
On the other hand, if you pull from my repo, you can easily hack |
| 112 |
up a little bot, which tells you when something happens (or |
| 113 |
even send you patches). |
| 114 |
|
| 115 |
> > Meanwhile I dont need it anymore, since I gave up maintaining |
| 116 |
> > plaintext patches in favour of git. And that makes my daily works |
| 117 |
> > _much_ easier. |
| 118 |
> > |
| 119 |
> |
| 120 |
> You don't need to maintain **anything** manually if you code the |
| 121 |
> website properly. That's the whole point. You get major benefits with |
| 122 |
> minimal long-term work which can be done by a single person in their |
| 123 |
> free time. |
| 124 |
|
| 125 |
First, I have to build that website and maintain it over a long time. |
| 126 |
Then I'll have to do a lot of advertisement work to get people to |
| 127 |
actually push their patches there. |
| 128 |
|
| 129 |
On the other hand, the git-based infrastructure is already there, |
| 130 |
people can use it right now. And it gives my exactly what I need. |
| 131 |
So I prefer spending my time in advocating this one. |
| 132 |
|
| 133 |
> This job is easily automated to simply aggregate links to patches |
| 134 |
> which all the distros manually publish themselves. |
| 135 |
|
| 136 |
It's not that simple. Many distros don't even do proper patches, |
| 137 |
instead wildly copy over or directly sed certain sourcesfiles, |
| 138 |
or even (like Debian) use their own broken tarballs. |
| 139 |
(the worst srcpkg I've ever seen is Debian's mysql-5.0.32 ...) |
| 140 |
|
| 141 |
And even *if* we assume, that everyone's just doing patches, we |
| 142 |
still need to transform the everbody's strange (often not even |
| 143 |
linear) versioning schemes. One of OSS-QMs primary goals is to |
| 144 |
use a strictly normalized/canonical naming/versioning scheme in |
| 145 |
the primay source repository. |
| 146 |
|
| 147 |
|
| 148 |
cu |
| 149 |
-- |
| 150 |
---------------------------------------------------------------------- |
| 151 |
Enrico Weigelt, metux IT service -- http://www.metux.de/ |
| 152 |
|
| 153 |
phone: +49 36207 519931 email: weigelt@×××××.de |
| 154 |
mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 |
| 155 |
---------------------------------------------------------------------- |
| 156 |
Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme |
| 157 |
---------------------------------------------------------------------- |
Archives