| 1 |
On Thu, 2006-06-08 at 20:58 +0200, Markus Ullmann wrote: |
| 2 |
> To clarify things a bit (hopefully): |
| 3 |
> |
| 4 |
> 1) security |
| 5 |
> |
| 6 |
> This is not the main tree, just a normal overlay. Okay, some non-devs |
| 7 |
> contribute here but doesn't change the fact that it is just an overlay |
| 8 |
> as any other out there in the world. Well, it is a bit different. Here |
| 9 |
> are some devs keeping an eye on the evolution and can help people with |
| 10 |
> doing it right and thus get better contributions in the end. |
| 11 |
|
| 12 |
I know that when I spoke of security, I was not only talking about the |
| 13 |
security of letting non-developers commit to an overlay that is, by |
| 14 |
design, for end users, but also of the implications of ensuring that any |
| 15 |
packages in these overlays are not vulnerable to exploits. |
| 16 |
|
| 17 |
> 2) responsibility |
| 18 |
> |
| 19 |
> As already mentioned at 1), it is an overlay. The devs on sunrise do |
| 20 |
> keep an eye on it and all ebuilds do have to pass at least repoman and |
| 21 |
> some basic QA checks (currently done when porting them from bugs.g.o) so |
| 22 |
> that they don't do some rm -rf / thing. They should be improved by the |
| 23 |
> contributors then so that we have two things here: a) a contributor who |
| 24 |
> can contribute good-quality ebuils and b) a good ebuild to be picked up |
| 25 |
> by a dev and ported to the tree |
| 26 |
|
| 27 |
The problem is that you are only checking on the initial commit. Go |
| 28 |
back to point #1 (security). |
| 29 |
|
| 30 |
Again, the entire concept of overlays.gentoo.org was stated again and |
| 31 |
again that this would *not* be the result of the project. Many of the |
| 32 |
maintainer-wanted ebuilds are quite good, many need to be completely |
| 33 |
rewritten to even work properly. |
| 34 |
|
| 35 |
This also completely missing the point that most of the things in |
| 36 |
maintainer-wanted are there because there is not a developer interested |
| 37 |
in them. How will this change by moving the ebuild into an overlay, I |
| 38 |
have yet to hear. |
| 39 |
|
| 40 |
> 3) replacement for bugs.g.o |
| 41 |
> |
| 42 |
> This project isn't a try to replace the contributions to bugs. It should |
| 43 |
> just help to fetch and update things. We have help from bug-wranglers |
| 44 |
> here (well, at least from jakub) to keep the overlay in sync with it so |
| 45 |
> that one can say "Yeah, my-example/myapp r158 has this and this issue, |
| 46 |
> here is a fix for it" and then either the sunrise-devs or one of the |
| 47 |
> project-contributors commits it to the overlay. |
| 48 |
|
| 49 |
Honestly, having to break out a subversion client to check a fix |
| 50 |
immediately sounds like extra work. It is usually much easier to simply |
| 51 |
look at the attachment online and make a decision immediately. |
| 52 |
|
| 53 |
> 4) workload on devs |
| 54 |
> |
| 55 |
> Well I really have problems to see increased workload on devs here who |
| 56 |
> don't actively support the project. They can scour bugzie for |
| 57 |
> interesting ebuilds and instead of fetching files, renaming them, moving |
| 58 |
> them to a local overlay dir, just do a svn co |
| 59 |
> http://overlays.gentoo.org/svn/proj/sunrise/sys-auth/pam_skey/ (as an |
| 60 |
> example here) and you have all needed files already prepared to look at |
| 61 |
> them or to give them a try. |
| 62 |
|
| 63 |
Except that I can *look* at an ebuild without having to break out a |
| 64 |
subversion client currently. Also, you completely gloss over the fact |
| 65 |
that this is a overlay designed for end-user usage. This means that |
| 66 |
anything in this overlay is *very* likely to be on user's machines and |
| 67 |
cause any number of possible problems. Let's use your pam_skey as an |
| 68 |
example. Now, let's say that someone has this installed, and has |
| 69 |
configured it improperly. They file a bug because they are unable to |
| 70 |
login, and the pam maintainers receive the bug. How exactly are they |
| 71 |
supposed to know that this user has pam_skey even *available* to them |
| 72 |
when all they see as an overlay is "sunrise" and not the |
| 73 |
project-specific overlays that overlays.gentoo.org was designed for? |
| 74 |
|
| 75 |
All of the time wasted to determine that the user has done something |
| 76 |
unsupported to break their system is time that this developer could be |
| 77 |
working on a problem with a package that is actually in the portage |
| 78 |
tree, which is our primary product. |
| 79 |
|
| 80 |
> 5) the tarball problem |
| 81 |
> |
| 82 |
> On some bugs we also notice that people contribute tarballs instead of |
| 83 |
> ebuilds and the files as such. |
| 84 |
> Some apps need a change on a bunch of files with every version bump. |
| 85 |
> Take MailScanner as an example ( |
| 86 |
> http://bugs.gentoo.org/show_bug.cgi?id=36060 ). Many devs cry out loud |
| 87 |
> when they come across a tarball on bugzie. It is not the best way of |
| 88 |
> contribution, I know that myself. But take it the otherway around. |
| 89 |
> Someone out there took time (on some apps it is really much time) and |
| 90 |
> provided an ebuild. Maybe he is new to it and doesn't know much about |
| 91 |
> bugzie (no usability talk required here, done every 3 months on bugzie |
| 92 |
> devel ml) then they post their hard work there. Then a dev comes along |
| 93 |
> and says "never ever do attach tarballs blah blubb", the contributor |
| 94 |
> feels scared as it was his first contribution and the dev was crying out |
| 95 |
> loud and would surely think twice if the work done is worth it. |
| 96 |
|
| 97 |
An overlay will have exactly 0 impact on this. You have already stated |
| 98 |
that the ebuilds will come from bugzilla. That means that a user can |
| 99 |
still post a tarball and can still have a developer request that he not |
| 100 |
post a tarball again. This is a non-issue in this conversation. |
| 101 |
|
| 102 |
> 6) problems on infra hardware |
| 103 |
> |
| 104 |
> Well Lance arised that, so if infra has that big concerns about this |
| 105 |
> project (I personally see no hard reason for it, but let the infra guys |
| 106 |
> handle it how they want), then feel free to drop me a note and we host |
| 107 |
> it elsewhere. I really see a great chance for contributors here as they |
| 108 |
> can improve themselves here and if they contribute good quality, even |
| 109 |
> commit themselves and learn how to handle maintainership. You all know |
| 110 |
> we also have some people out there that would like to maintain just one |
| 111 |
> or two packages. Now we call it proxy maintainership but why not giving |
| 112 |
> them commit access to sunrise then? They can maintain it here without |
| 113 |
> the whole workload as dev, but maybe they get encouraged by doing so and |
| 114 |
> then become a dev later. Lots of options are possible here. |
| 115 |
|
| 116 |
You miss something. Things in this overlay still don't make it into the |
| 117 |
official tree unless a maintainer picks it up. Taking an ebuild from |
| 118 |
bugzilla and being responsible for it and taking an ebuild from an |
| 119 |
overlay and being responsible for it have the exact same cost on |
| 120 |
developer resources. Someone *still* has to maintain it. |
| 121 |
|
| 122 |
> 7) non maintainer-wanted things |
| 123 |
> |
| 124 |
> Some ebuilds found their way into the overlay, we talked about that |
| 125 |
> internally and I'll remove them after this mail is sent out, so that we |
| 126 |
> stick to maintainer-wanted things here. |
| 127 |
|
| 128 |
Thank you. This was a major concern for myself, and I'm sure quite a |
| 129 |
few others. |
| 130 |
|
| 131 |
-- |
| 132 |
Chris Gianelloni |
| 133 |
Release Engineering - Strategic Lead |
| 134 |
x86 Architecture Team |
| 135 |
Games - Developer |
| 136 |
Gentoo Linux |
Archives