1 |
On Thu, 2006-06-08 at 20:58 +0200, Markus Ullmann wrote: |
2 |
> To clarify things a bit (hopefully): |
3 |
> |
4 |
> 1) security |
5 |
> |
6 |
> This is not the main tree, just a normal overlay. Okay, some non-devs |
7 |
> contribute here but doesn't change the fact that it is just an overlay |
8 |
> as any other out there in the world. Well, it is a bit different. Here |
9 |
> are some devs keeping an eye on the evolution and can help people with |
10 |
> doing it right and thus get better contributions in the end. |
11 |
|
12 |
I know that when I spoke of security, I was not only talking about the |
13 |
security of letting non-developers commit to an overlay that is, by |
14 |
design, for end users, but also of the implications of ensuring that any |
15 |
packages in these overlays are not vulnerable to exploits. |
16 |
|
17 |
> 2) responsibility |
18 |
> |
19 |
> As already mentioned at 1), it is an overlay. The devs on sunrise do |
20 |
> keep an eye on it and all ebuilds do have to pass at least repoman and |
21 |
> some basic QA checks (currently done when porting them from bugs.g.o) so |
22 |
> that they don't do some rm -rf / thing. They should be improved by the |
23 |
> contributors then so that we have two things here: a) a contributor who |
24 |
> can contribute good-quality ebuils and b) a good ebuild to be picked up |
25 |
> by a dev and ported to the tree |
26 |
|
27 |
The problem is that you are only checking on the initial commit. Go |
28 |
back to point #1 (security). |
29 |
|
30 |
Again, the entire concept of overlays.gentoo.org was stated again and |
31 |
again that this would *not* be the result of the project. Many of the |
32 |
maintainer-wanted ebuilds are quite good, many need to be completely |
33 |
rewritten to even work properly. |
34 |
|
35 |
This also completely missing the point that most of the things in |
36 |
maintainer-wanted are there because there is not a developer interested |
37 |
in them. How will this change by moving the ebuild into an overlay, I |
38 |
have yet to hear. |
39 |
|
40 |
> 3) replacement for bugs.g.o |
41 |
> |
42 |
> This project isn't a try to replace the contributions to bugs. It should |
43 |
> just help to fetch and update things. We have help from bug-wranglers |
44 |
> here (well, at least from jakub) to keep the overlay in sync with it so |
45 |
> that one can say "Yeah, my-example/myapp r158 has this and this issue, |
46 |
> here is a fix for it" and then either the sunrise-devs or one of the |
47 |
> project-contributors commits it to the overlay. |
48 |
|
49 |
Honestly, having to break out a subversion client to check a fix |
50 |
immediately sounds like extra work. It is usually much easier to simply |
51 |
look at the attachment online and make a decision immediately. |
52 |
|
53 |
> 4) workload on devs |
54 |
> |
55 |
> Well I really have problems to see increased workload on devs here who |
56 |
> don't actively support the project. They can scour bugzie for |
57 |
> interesting ebuilds and instead of fetching files, renaming them, moving |
58 |
> them to a local overlay dir, just do a svn co |
59 |
> http://overlays.gentoo.org/svn/proj/sunrise/sys-auth/pam_skey/ (as an |
60 |
> example here) and you have all needed files already prepared to look at |
61 |
> them or to give them a try. |
62 |
|
63 |
Except that I can *look* at an ebuild without having to break out a |
64 |
subversion client currently. Also, you completely gloss over the fact |
65 |
that this is a overlay designed for end-user usage. This means that |
66 |
anything in this overlay is *very* likely to be on user's machines and |
67 |
cause any number of possible problems. Let's use your pam_skey as an |
68 |
example. Now, let's say that someone has this installed, and has |
69 |
configured it improperly. They file a bug because they are unable to |
70 |
login, and the pam maintainers receive the bug. How exactly are they |
71 |
supposed to know that this user has pam_skey even *available* to them |
72 |
when all they see as an overlay is "sunrise" and not the |
73 |
project-specific overlays that overlays.gentoo.org was designed for? |
74 |
|
75 |
All of the time wasted to determine that the user has done something |
76 |
unsupported to break their system is time that this developer could be |
77 |
working on a problem with a package that is actually in the portage |
78 |
tree, which is our primary product. |
79 |
|
80 |
> 5) the tarball problem |
81 |
> |
82 |
> On some bugs we also notice that people contribute tarballs instead of |
83 |
> ebuilds and the files as such. |
84 |
> Some apps need a change on a bunch of files with every version bump. |
85 |
> Take MailScanner as an example ( |
86 |
> http://bugs.gentoo.org/show_bug.cgi?id=36060 ). Many devs cry out loud |
87 |
> when they come across a tarball on bugzie. It is not the best way of |
88 |
> contribution, I know that myself. But take it the otherway around. |
89 |
> Someone out there took time (on some apps it is really much time) and |
90 |
> provided an ebuild. Maybe he is new to it and doesn't know much about |
91 |
> bugzie (no usability talk required here, done every 3 months on bugzie |
92 |
> devel ml) then they post their hard work there. Then a dev comes along |
93 |
> and says "never ever do attach tarballs blah blubb", the contributor |
94 |
> feels scared as it was his first contribution and the dev was crying out |
95 |
> loud and would surely think twice if the work done is worth it. |
96 |
|
97 |
An overlay will have exactly 0 impact on this. You have already stated |
98 |
that the ebuilds will come from bugzilla. That means that a user can |
99 |
still post a tarball and can still have a developer request that he not |
100 |
post a tarball again. This is a non-issue in this conversation. |
101 |
|
102 |
> 6) problems on infra hardware |
103 |
> |
104 |
> Well Lance arised that, so if infra has that big concerns about this |
105 |
> project (I personally see no hard reason for it, but let the infra guys |
106 |
> handle it how they want), then feel free to drop me a note and we host |
107 |
> it elsewhere. I really see a great chance for contributors here as they |
108 |
> can improve themselves here and if they contribute good quality, even |
109 |
> commit themselves and learn how to handle maintainership. You all know |
110 |
> we also have some people out there that would like to maintain just one |
111 |
> or two packages. Now we call it proxy maintainership but why not giving |
112 |
> them commit access to sunrise then? They can maintain it here without |
113 |
> the whole workload as dev, but maybe they get encouraged by doing so and |
114 |
> then become a dev later. Lots of options are possible here. |
115 |
|
116 |
You miss something. Things in this overlay still don't make it into the |
117 |
official tree unless a maintainer picks it up. Taking an ebuild from |
118 |
bugzilla and being responsible for it and taking an ebuild from an |
119 |
overlay and being responsible for it have the exact same cost on |
120 |
developer resources. Someone *still* has to maintain it. |
121 |
|
122 |
> 7) non maintainer-wanted things |
123 |
> |
124 |
> Some ebuilds found their way into the overlay, we talked about that |
125 |
> internally and I'll remove them after this mail is sent out, so that we |
126 |
> stick to maintainer-wanted things here. |
127 |
|
128 |
Thank you. This was a major concern for myself, and I'm sure quite a |
129 |
few others. |
130 |
|
131 |
-- |
132 |
Chris Gianelloni |
133 |
Release Engineering - Strategic Lead |
134 |
x86 Architecture Team |
135 |
Games - Developer |
136 |
Gentoo Linux |