1 |
* Nirbheek Chauhan <nirbheek@g.o> schrieb: |
2 |
|
3 |
> > Thats not even necessary. They just should use the infrastructure, |
4 |
> > as described in my paper. So everyone can easily set up automatic |
5 |
> > notifications, cherry-pick, etc, etc. |
6 |
> |
7 |
> Why should we? |
8 |
|
9 |
To make tracking and applying other's changes much easier. |
10 |
Currently it's quite work intensive to do so. |
11 |
|
12 |
If - hypothetically - everyone work within an git repo, using a |
13 |
normalized naming/versioning scheme, it is trivial to set some |
14 |
little tracking system, informing package maintainers if something |
15 |
happens (new upstream, new patches from distro XYZ, etc). And |
16 |
we can inspect that easily, take patches, etc, etc, using |
17 |
standard git tools. |
18 |
|
19 |
> I am *yet* to see a single reason for us to change how we work |
20 |
> other than "please use this since I've been putting a lot of |
21 |
> effort into it". |
22 |
|
23 |
I have no intention to urge you to use my approach, I'm just |
24 |
offering you my works, nothing more. |
25 |
|
26 |
> >> On a technical level, it's got serious security, trust, and |
27 |
> >> redundancy problems. |
28 |
> > |
29 |
> > Git makes that very easy ;-p |
30 |
> > |
31 |
> |
32 |
> No, it does not. The security problems come because you are the single |
33 |
> point of failure. |
34 |
|
35 |
Which SPOF ? |
36 |
|
37 |
man 1 git-cone ;-p |
38 |
|
39 |
> The trust problems come because we have no reason to trust you. |
40 |
|
41 |
You dont have to trust me. Just let me point out some possible |
42 |
leak points (if I missed some, feel free to add them ...): |
43 |
|
44 |
a) repository manipulation (directly changing objects): will |
45 |
be found out by git-gc. |
46 |
|
47 |
b) injecting changed upstream: you can easily compare my UPSTREAM.* |
48 |
tags against the real upstream's tarballs or vcs tags. |
49 |
|
50 |
BTW: as long as not all upstreams sign their releases, our trust |
51 |
relies just relies on their server's integrity (and the connection |
52 |
to them). |
53 |
|
54 |
c) manipulated tags: someone, perhaps myself overwrites other's tags |
55 |
use signed tags, and check the signatures (easily doable by a |
56 |
little shell script |
57 |
|
58 |
d) some vendor (possibly myself) adds crappy changes: you'll most |
59 |
likely have a look at the changes before cherry-picking them. |
60 |
|
61 |
> The redundancy problems come because if your hosting goes |
62 |
> down or you lose interest, we're left high and dry. |
63 |
|
64 |
That wouldn't affect your clones. You simply won't get anything |
65 |
new from my site anymore. |
66 |
|
67 |
> > If we're doing a good job (my generic fixes instead of distro- |
68 |
> > specfic dirty hacks) about 99% can be shared ;-p |
69 |
> > |
70 |
> |
71 |
> I'd advise you to take a look at the sort of patching Ubuntu/Debian |
72 |
> does, and then revisit that figure. You'll find it more along the |
73 |
> lines of 30%. |
74 |
|
75 |
I never claimed that Ubuntu does clean and generic fixes. |
76 |
|
77 |
BTW: Gentoo tends to have similar problems, just look at the zlib ebuild: |
78 |
|
79 |
|
80 |
>> # trust exit status of the compiler rather than stderr #55434 |
81 |
>> # -if test "`(...) 2>&1`" = ""; then |
82 |
>> # +if (...) 2>/dev/null; then |
83 |
>> sed -i 's|\<test "`\([^"]*\) 2>&1`" = ""|\1 2>/dev/null|' configure || die |
84 |
>> sed -i -e '/ldconfig/d' Makefile* || die |
85 |
|
86 |
> >> A practical solution to the problem of patch sharing is to |
87 |
> >> have a website with a search interface for upstream source |
88 |
> >> tarballs, which can display all the patches that various |
89 |
> >> distros apply, as well as a download link for the patchsets |
90 |
> >> (hotlinked to the distro files where possible). |
91 |
> > |
92 |
> > Too complicated, and actually would not help me a single bit. |
93 |
> |
94 |
> Help *you*? I thought this was about helping the distros. |
95 |
|
96 |
Yes, I first want to solve my daily business problems, but in a way |
97 |
that other folks can benefit from my works. |
98 |
|
99 |
> >> Distro packagers are much more comfortable with downloading |
100 |
> >> patchsets from a foreign source than complete tarballs. |
101 |
> > |
102 |
> > man git-format-patch ;-p |
103 |
> > |
104 |
> |
105 |
> So why don't you submit that to bugzilla? |
106 |
|
107 |
Yet too complicated/work intensive to do this for each individual |
108 |
distro. It would be a completely different issue, if there was |
109 |
some robot interface for that. |
110 |
|
111 |
On the other hand, if you pull from my repo, you can easily hack |
112 |
up a little bot, which tells you when something happens (or |
113 |
even send you patches). |
114 |
|
115 |
> > Meanwhile I dont need it anymore, since I gave up maintaining |
116 |
> > plaintext patches in favour of git. And that makes my daily works |
117 |
> > _much_ easier. |
118 |
> > |
119 |
> |
120 |
> You don't need to maintain **anything** manually if you code the |
121 |
> website properly. That's the whole point. You get major benefits with |
122 |
> minimal long-term work which can be done by a single person in their |
123 |
> free time. |
124 |
|
125 |
First, I have to build that website and maintain it over a long time. |
126 |
Then I'll have to do a lot of advertisement work to get people to |
127 |
actually push their patches there. |
128 |
|
129 |
On the other hand, the git-based infrastructure is already there, |
130 |
people can use it right now. And it gives my exactly what I need. |
131 |
So I prefer spending my time in advocating this one. |
132 |
|
133 |
> This job is easily automated to simply aggregate links to patches |
134 |
> which all the distros manually publish themselves. |
135 |
|
136 |
It's not that simple. Many distros don't even do proper patches, |
137 |
instead wildly copy over or directly sed certain sourcesfiles, |
138 |
or even (like Debian) use their own broken tarballs. |
139 |
(the worst srcpkg I've ever seen is Debian's mysql-5.0.32 ...) |
140 |
|
141 |
And even *if* we assume, that everyone's just doing patches, we |
142 |
still need to transform the everbody's strange (often not even |
143 |
linear) versioning schemes. One of OSS-QMs primary goals is to |
144 |
use a strictly normalized/canonical naming/versioning scheme in |
145 |
the primay source repository. |
146 |
|
147 |
|
148 |
cu |
149 |
-- |
150 |
---------------------------------------------------------------------- |
151 |
Enrico Weigelt, metux IT service -- http://www.metux.de/ |
152 |
|
153 |
phone: +49 36207 519931 email: weigelt@×××××.de |
154 |
mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 |
155 |
---------------------------------------------------------------------- |
156 |
Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme |
157 |
---------------------------------------------------------------------- |