| 1 |
On Fri, 2006-06-09 at 19:41 +0200, Patrick Lauer wrote: |
| 2 |
> > This *will* affect *every* ebuild developer. |
| 3 |
> Maybe you don't realize that taking ebuilds for packages that are _not in portage_ and providing them in a nice bundle does not affect every developer? |
| 4 |
|
| 5 |
I'm sorry for the language, but I call bullshit. It is painfully |
| 6 |
obvious by your response that you've never had a library that is an |
| 7 |
optional dependency (and one we don't --without durng configure, since |
| 8 |
it isn't in the tree) cause a problem in one of your packages. Allowing |
| 9 |
libraries means it can cause breakage. Period. |
| 10 |
|
| 11 |
> Noone wants to push a new cvs-snapshot of glibc. That so not the point |
| 12 |
> here. |
| 13 |
|
| 14 |
Nobody ever said that you have to push a new glibc to cause mass |
| 15 |
breakage. |
| 16 |
|
| 17 |
> But having a controlled managed overlay with ebuilds that are now spread |
| 18 |
> all across bugzilla ... that would be a good service to our users. |
| 19 |
|
| 20 |
Since when was overlays.gentoo.org supposed to even be a service to our |
| 21 |
users? As I understand it, the goal was to ease development, not to |
| 22 |
provide an easy method for half-working ebuilds to make it to our user's |
| 23 |
machines. |
| 24 |
|
| 25 |
> > This means it *CANNOT* be left up to a small group of developers to |
| 26 |
> > decide without any discussion on the matter. |
| 27 |
> So now we're a democracy where everything needs to be voted upon? |
| 28 |
|
| 29 |
Anything this abhorrently stupid doesn't need a vote. It should be cast |
| 30 |
out on its complete lack of merit, alone. Also, at no point did I ever |
| 31 |
ask for a vote. Don't put words in my mouth and I'll try to pretend |
| 32 |
like I care what you say, OK? |
| 33 |
|
| 34 |
> *sigh* |
| 35 |
> Let's leave that debate for another day ... |
| 36 |
|
| 37 |
You brought it up, not I. Feel free to debate it with yourself until |
| 38 |
you're blue in the face. |
| 39 |
|
| 40 |
> > > Yes, now it is easier to check out the ebuilds. More users ==> better |
| 41 |
> > > testing. |
| 42 |
> > |
| 43 |
> > Except that now the developer has to do much more work to get the same |
| 44 |
> > information, making it even less likely that he'll bother to pick up one |
| 45 |
> > of these maintainer-wanted bugs. |
| 46 |
> s/the developer/I/ |
| 47 |
|
| 48 |
You're right... I had that wrong. |
| 49 |
|
| 50 |
s/the developer/the developers/ |
| 51 |
|
| 52 |
After all, there have been quite a number of people agreeing with me. |
| 53 |
|
| 54 |
> there are some devs that would prefer this overlay environment. |
| 55 |
> Please don't push your personal preferences as The Right Way (tm) |
| 56 |
|
| 57 |
Ehh. Were you an ebuild developer, your opinion might actually count |
| 58 |
for something when it comes to an ebuild development discussion. By the |
| 59 |
way, where's the GWN this week? |
| 60 |
|
| 61 |
> > You also completely gloss over the |
| 62 |
> > ability of a single rogue user to now compromise countless users with a |
| 63 |
> > single commit. |
| 64 |
> And an ebuild on bugzilla has more security? |
| 65 |
|
| 66 |
Nope. However, I'm also not proposing that ebuilds from bugzilla |
| 67 |
automatically get pulled in over some magical overlay that is supposed |
| 68 |
to fix all of the problems Gentoo's ever had with unmaintained packages. |
| 69 |
|
| 70 |
> We're just making it easier to use these ebuilds. Also I expect the |
| 71 |
> maintainers to keep a reasonable quality standard. |
| 72 |
|
| 73 |
I'm glad your faith in them is so high. My faith in *any* group this |
| 74 |
small having the ability to watch over a large number of outside |
| 75 |
contributors simply isn't there. |
| 76 |
|
| 77 |
> > Please come back once you've firmly grounded yourself in |
| 78 |
> > the reality that we're a pretty popular distribution, and that makes |
| 79 |
> > this project a prime target for malicious abuse. Perhaps if you were |
| 80 |
> > responsible for some ebuilds, you've be more cognizant of the |
| 81 |
> > implications that a bad commit can cause our users. |
| 82 |
> I am not responsible for ebuilds because I don't trust myself enough :-) |
| 83 |
|
| 84 |
That's great. I don't trust you enough, either. ;] |
| 85 |
|
| 86 |
> That doesn't stop me from giving out access to my server to anyone who |
| 87 |
> has a good reason ... like the Gentoo/HURD repository or the Java |
| 88 |
> overlay. |
| 89 |
|
| 90 |
Well, we thank you for your immense self-sacrifice. What this has to do |
| 91 |
with the topic at hand, I have no idea. |
| 92 |
|
| 93 |
> > > That differs from the 20 or so overlays maintained by users how? |
| 94 |
> > |
| 95 |
> > Let's see. They aren't on Gentoo infrastructure, which means they don't |
| 96 |
> > give off any immediate assumption of being "official" or "supported" in |
| 97 |
> > any way. Hell, go back and look at Peter's response about how he would |
| 98 |
> > use an overlay such as this only *because* it is on Gentoo |
| 99 |
> > infrastructure. |
| 100 |
> > |
| 101 |
> > So what exactly was your counter-point again? |
| 102 |
> We have control over sunrise. And hey, if it sucks kill the project with silver bullets, a stake to the heart and two pounds of garlic. |
| 103 |
|
| 104 |
I'm locked and loaded. |
| 105 |
|
| 106 |
> Just don't kill an idea before it is even tested ... |
| 107 |
|
| 108 |
Why not? What reason is there to stop me from aborting this brain-dead |
| 109 |
monstrosity before it claims a single user casualty, let alone our |
| 110 |
reputation? I would have thought that your involvement in "PR" would |
| 111 |
have you thinking better. A reputation is something that takes years to |
| 112 |
establish, and seconds to demolish. You, of all people, should know |
| 113 |
that. |
| 114 |
|
| 115 |
> > Having an overlay such as this will tarnish Gentoo's reputation. |
| 116 |
> No :-) |
| 117 |
> What reputation are we talking about? The distro that lags in updates |
| 118 |
> behind others? |
| 119 |
|
| 120 |
Yes, we are *so* lagged behind everyone else. Where do you come up with |
| 121 |
these "facts" anyway? I'd like to visit this mythical land. |
| 122 |
|
| 123 |
> Where you see a problem I see potential: More well-tested ebuilds, |
| 124 |
> recruiting potential developers ... if you don't want that you're an |
| 125 |
> elitist bastard. ;-) |
| 126 |
|
| 127 |
Aww, how sweet. We've started the name calling. |
| 128 |
|
| 129 |
I'm sorry, but having a general dumping ground for all of the crap that |
| 130 |
nobody found useful enough to actually include into Gentoo doesn't sound |
| 131 |
like the paradise that you're making it out to be. Luckily, I'm finding |
| 132 |
that I'm not alone in this, and that quite a few developers are backing |
| 133 |
me on this one. We're not blind to the problems with this project in |
| 134 |
its implementation, management, and intended goals. Perhaps you should |
| 135 |
open your eyes and seriously look at what you're pushing as a solution? |
| 136 |
|
| 137 |
> > We |
| 138 |
> > should not be providing *anything* that is only half-supported or |
| 139 |
> > half-tested. Anything less than being sully supported via the security |
| 140 |
> > team and QA is a failure on the part of Gentoo. We have enough *crap* |
| 141 |
> > in the *tree* that is unsupported, which makes us look bad, yet you want |
| 142 |
> > to insist on supporting a project that affects all of the ebuild |
| 143 |
> > developers, which you have not mentioned is a group which you are not a |
| 144 |
> > part of, so can gladly speak of increasing their workload with no |
| 145 |
> > consequences to yourself, and provides an avenue for low-quality or |
| 146 |
> > possibly malicious ebuilds to be distributed to our users, all under a |
| 147 |
> > Gentoo banner? |
| 148 |
> No :-) |
| 149 |
> 1) It doesn't increase your workload - these packages are things that |
| 150 |
> are _not_ in the main tree. |
| 151 |
|
| 152 |
I'm sorry, so your answer to this point is to just say that it is wrong |
| 153 |
with absolutely no data to back it up. Sounds about par for the course |
| 154 |
from this project's proponents. I've shown many examples where this |
| 155 |
*could* and *would* adversely affect developer workload for developers |
| 156 |
in the main tree. You are unable to refute it, so you simply state it |
| 157 |
isn't true with absolutely no way to substantiate your claims. |
| 158 |
|
| 159 |
> No overlap --> no stupid bugs with overwritten ebuilds etc. |
| 160 |
|
| 161 |
Hahahahaha! |
| 162 |
|
| 163 |
Misdirection at its finest. So tell me, where do I learn this valuable |
| 164 |
skill of completely avoiding the truth and pretending to be blind to |
| 165 |
facts. It sure must come in handy. |
| 166 |
|
| 167 |
> 2) low-quality? I might mention that I'm hosting some overlays that have |
| 168 |
> non-gentoo contributors (*gasp!*) |
| 169 |
|
| 170 |
Sure. Overlays that are run by Gentoo developers with a specific |
| 171 |
project in mind, where the project is also the maintainers of the |
| 172 |
similar packages in the tree, are intimately familiar with the packages, |
| 173 |
and are also responsible for all the bugs regarding them. Did you have |
| 174 |
a point, other than to help reiterate what I have said over and over |
| 175 |
again? You're starting to help my case as much as Jakub. |
| 176 |
|
| 177 |
> Why are they hosted on my server? Because the contributors are not (yet) |
| 178 |
> gentoo devs, but provide good to excellent input to the projects. So now |
| 179 |
> you tell me that I'm doing wrong in helping Gentoo development? These |
| 180 |
> people can't contribute to other gentoo-hosted projects, so it is easier |
| 181 |
> to move the repositories to a more liberal server. |
| 182 |
|
| 183 |
No. They're on your server because we had no facility for them to be |
| 184 |
placed on our infrastructure. They could all easily be moved now and |
| 185 |
would be well within the parameters for the overlays project. However, |
| 186 |
project sunshine flies directly in the face of those parameters, and |
| 187 |
should be killed before it is allowed to harm Gentoo. |
| 188 |
|
| 189 |
> That tells me that Gentoo development is fundamentally buggy when we |
| 190 |
> complain about a lack of manpower and then say "yeah, but not _that_ |
| 191 |
> kind of manpower" when users try to help. |
| 192 |
|
| 193 |
Except nobody says "Hey, I'd like it if users would start adding more |
| 194 |
stuff to an overlay that isn't maintained by any Gentoo developers so I |
| 195 |
can get more bugs that don't have anything to do with the official |
| 196 |
Gentoo repository. That would be swell." |
| 197 |
|
| 198 |
Asking for help where help is actually needed is one thing. Creating a |
| 199 |
project to dump all of the useless shit and try to pass it off as |
| 200 |
"helping" development is another. |
| 201 |
|
| 202 |
> <cynic> |
| 203 |
> And people wonder why usually things get done secretly and then |
| 204 |
> presented as a finished product - no wonder, it seems to be the only way |
| 205 |
> to get _anything_ done. |
| 206 |
> </cynic> |
| 207 |
|
| 208 |
Perhaps because stupid ideas such as this should never see the light of |
| 209 |
day and would be shot down by anyone sensible enough to look at it on |
| 210 |
its actual merit versus some hair-brained concept of how important they |
| 211 |
are and how much this will "help" development? |
| 212 |
|
| 213 |
> > I seriously question your motives towards the Gentoo project. |
| 214 |
> Good. Question them. I'm still doing what I can to help ... doing such silly things as finding new servers for Infra and writing articles for the GWN. |
| 215 |
|
| 216 |
Really? Which servers? Which articles? |
| 217 |
|
| 218 |
> If that isn't good enough ... well ... who cares. You invest as much as |
| 219 |
> I do in your own server for Gentoo usage and I'll not question _your_ |
| 220 |
> motives. |
| 221 |
|
| 222 |
Like the hardware I've donated on multiple occasions? Or the hours and |
| 223 |
hours I spend working on Gentoo's actual products? How about the hours |
| 224 |
spent running the Gentoo Store, that actually brings in money for |
| 225 |
Gentoo? |
| 226 |
|
| 227 |
Spending a few dollars doesn't make you anything more than a monetary |
| 228 |
contributor. It doesn't buy you any respect. It doesn't buy you |
| 229 |
anything. |
| 230 |
|
| 231 |
> Remember that "Gentoo is all about choice" discussion that pops up every |
| 232 |
> now and then? |
| 233 |
|
| 234 |
Yeah, I remember it. I also remember that only idiots continue to tout |
| 235 |
that party line as some kind of backing for every stupid and |
| 236 |
hair-brained idea that should never see the light of day. Are you |
| 237 |
really trying to use that as an argument for why something that can be |
| 238 |
shown to be a bad idea should be done? |
| 239 |
|
| 240 |
How about instead actually answering the issues that have been |
| 241 |
presented? |
| 242 |
|
| 243 |
> If a motivated group of devs wants to try an overlay experiment you |
| 244 |
> should let them try. Worst case it's a failure and gets punted after two |
| 245 |
> months. |
| 246 |
|
| 247 |
No. The worst case scenario is some gets some malicious code in the |
| 248 |
overlay and countless Gentoo boxes around the world get owned, Gentoo |
| 249 |
catches the brunt of the backlash, and the distribution starts losing |
| 250 |
users left and right and ends up dying out simply because a few selfish |
| 251 |
developers couldn't be bothered to actually take into account what other |
| 252 |
developers are telling them and decided to go forward with a stupid |
| 253 |
idea. Of course, I'm probably an optimist and much worse could probably |
| 254 |
happen. |
| 255 |
|
| 256 |
> > Wow. Another one of those "I can't answer your issue, so I'll just try |
| 257 |
> > to divert your attention somewhere else" answers. Thanks for absolutely |
| 258 |
> > nothing but contributing noise. |
| 259 |
> You know, I've met you at FOSDEM and I know that you don't mean this as an insult, but it is very easy to misread it as that. |
| 260 |
> Might I suggest that you don't formulate responses in a way that can |
| 261 |
> easily be read as a personal attack? |
| 262 |
|
| 263 |
Might I suggest you actually answer a damn question instead of using |
| 264 |
redirection and vague promises as some sort of quasi-argument? |
| 265 |
|
| 266 |
> > > > Wouldn't this process be *infinitely* easier if instead of "sunrise" |
| 267 |
> > > > there was a "pam" overlay with *only* the pam stuff? |
| 268 |
> > > Ooooh, cool. Now I need about 75 overlays to get things done, and of course there will be no bad interaction between them ;-) |
| 269 |
> > As opposed to the free for all that is this overlay? |
| 270 |
> It's easier to manage one big overlay - at least that seems to be the motivation for doing it. |
| 271 |
|
| 272 |
How exactly is it easier to manage a large number of ebuilds versus a |
| 273 |
small number? |
| 274 |
|
| 275 |
> And if we're all mistaken we at least learn a valuable lesson. |
| 276 |
|
| 277 |
Yes, that a small group of people shouldn't be allowed to make decisions |
| 278 |
for the whole and not take into account any of the cons in their ideas, |
| 279 |
instead plodding forwards as if there were no objections to their ideas. |
| 280 |
|
| 281 |
> > > ... and if we control the overlay we can exclude things like system |
| 282 |
> > > packages easily. |
| 283 |
> > |
| 284 |
> > You really do a good job of making attempts to skirt the issues. Do me |
| 285 |
> > a favor, if you're just going to use vague references and try to avoid |
| 286 |
> > answering the issues at hand, don't bother wasting everyone's time by |
| 287 |
> > replying. You're more than welcome to provide some *useful* insight, |
| 288 |
> > but simply stating that something won't be an issue doesn't make it |
| 289 |
> > true. |
| 290 |
> And you are trying your best to make me look like an ass. Please stop |
| 291 |
> doing that, it makes discussion really hard. Keep to technical issues. |
| 292 |
|
| 293 |
Quit averting the issues when they are brought up. |
| 294 |
|
| 295 |
> The issue is: This overlay will _not_ contain BreakMyGentoo-style |
| 296 |
> ebuilds of new versions of things in portage. There won't be a glibc cvs |
| 297 |
> snapshot. Just ebuilds that for now live in bugzilla and are hard to |
| 298 |
> find. We wish to provide them in an easy-to-use package to our users. |
| 299 |
|
| 300 |
This overlay *will* allow libraries that could inadvertently affect any |
| 301 |
number of packages in the Gentoo repository. |
| 302 |
|
| 303 |
This overlay *will* allow commits from anyone that requests it and has a |
| 304 |
half-way decent ebuild in bugzilla, without doing any of the |
| 305 |
trust-building that is normally required for someone to have commit |
| 306 |
access to a Gentoo resource. |
| 307 |
|
| 308 |
This overlay *will* not be monitored by any of the Gentoo security |
| 309 |
project, yet will be an official repository of ebuilds coming from |
| 310 |
Gentoo and hosted on Gentoo infrastructure. |
| 311 |
|
| 312 |
> You know ... users. Those people that are not devs. Some of us try to |
| 313 |
> give them the best experience we can, and if there is something like an |
| 314 |
> overlay that even the more n00bish users can use we should try to |
| 315 |
> provide it. |
| 316 |
|
| 317 |
Huh? You mean the ones that expect us, as developers, to have their |
| 318 |
best interests in mind and to not allow poor-quality and potentially |
| 319 |
hazardous ebuilds to hit their machines? The same ones that trust us |
| 320 |
with the stability of their machines? The same ones that choose Gentoo |
| 321 |
because we're the best, not because we have some dumping ground of |
| 322 |
barely-wanted packages? Yeah, those users... |
| 323 |
|
| 324 |
> > > And again, one svn repo vs. 113 hard-to-find bugs ... |
| 325 |
> > Amazing how you pull such numbers out of thin air. |
| 326 |
> It's a special talent. 47 <-- just for you |
| 327 |
|
| 328 |
Ahh, so you're lying. Thanks for pointing that out. It definitely |
| 329 |
helps. |
| 330 |
|
| 331 |
> > Which 113 bugs are you talking about, exactly? |
| 332 |
> Try to find the relevant files in the three bugs jakub posted. |
| 333 |
> Now try that for multiple packages ... Most users won't need to harvest |
| 334 |
> 113 bugs, but I'd prefer a "svn up". It's just so much saner and less |
| 335 |
> work that it is hard for me to see how bugzilla even makes sense. |
| 336 |
|
| 337 |
So you don't have a list of 113 bugs, but instead go on to speak of your |
| 338 |
preference to svn up. |
| 339 |
|
| 340 |
Now, I'm going to make this plain and simple. This is you avoiding the |
| 341 |
question that was presented to you. |
| 342 |
|
| 343 |
> > Isn't that what the process of becoming a developer is supposed to |
| 344 |
> > build? |
| 345 |
> That process that many people consider too complicated and |
| 346 |
> time-consuming? |
| 347 |
|
| 348 |
Yes. That *exact* process that weeds out the people that honestly want |
| 349 |
to be a part of Gentoo and those that casually want to contribute. |
| 350 |
|
| 351 |
> Not everyone wants to spend 20h a week on Gentoo. Some people just want |
| 352 |
> to maintain their personal app for Gentoo. In some cases we already have |
| 353 |
> proxy-maintainers, so I don't see why we should not try to find more |
| 354 |
> motivated smart users to help. |
| 355 |
|
| 356 |
Great. Why do they need an overlay to do their job? The funny thing is |
| 357 |
that nobody has answered this question. All that anyone has done is |
| 358 |
given some vague references or promises about how it'll be "better" |
| 359 |
having an overlay with nothing to back it up. However, I've been able |
| 360 |
to show quite a few ways in which this overlay will hurt Gentoo. There |
| 361 |
have also been comments from other developers, and users, that have been |
| 362 |
all but ignored. I guess it is hard to respond to something when you |
| 363 |
have no way to refute it, but I digress. |
| 364 |
|
| 365 |
> > Also, just because I trust one person, doesn't mean I trust |
| 366 |
> > someone that you trust. Trust is not implicit, it is earned. |
| 367 |
> That's why most Gentoo devs can have an account on my server. Except |
| 368 |
> those that have told me directly that they don't like me :-) |
| 369 |
|
| 370 |
Again, you decide to point out something that is only somewhat related |
| 371 |
and try to use it as a proving point for your position, when it really |
| 372 |
bares no real relevance. What exactly does trusting developers, which |
| 373 |
have been members of the community for some time and have proven |
| 374 |
themselves, have to do with trusting a random set of users? |
| 375 |
|
| 376 |
> > Some |
| 377 |
> > random user having complete access to an area where only people that *I* |
| 378 |
> > trust should really have access is not instilling faith in me of this |
| 379 |
> > project. However, instead of answering these concerns, you simply brush |
| 380 |
> > them aside as a non-issue, though I am not the only developer that has |
| 381 |
> > spoken out on this *exact* same issue. |
| 382 |
> The difference between a random user and a dev often is not much more |
| 383 |
> than an @gentoo.org email adress. I don't consider all users |
| 384 |
> untrustworthy - if they show that they wish to help we should not |
| 385 |
> sabotage them. Maybe you don't remember the time when you were "just" a |
| 386 |
> user? |
| 387 |
|
| 388 |
I don't consider all users untrustworthy. Never once have I said that. |
| 389 |
This is another attempt to try to put words into my mouth so that you |
| 390 |
can hit home your own ideas, which aren't even relevant, since I didn't |
| 391 |
*say* what you're responding to. Remember what I said, and that you |
| 392 |
agreed to. Trust is earned. |
| 393 |
|
| 394 |
> If someone wanted to exploit boxen he'd use a much simpler attack |
| 395 |
> vector ... our rsync mirrors are wide open. No need to secure the little |
| 396 |
> window over there when the front door is open ... |
| 397 |
|
| 398 |
Really? I'd like you to give me root on rsync.gentoo.org, then. What's |
| 399 |
that? You can't? What a wonder! |
| 400 |
|
| 401 |
> Instead of trying to kill this idea you should try to get it modified |
| 402 |
> into something we all can agree on. |
| 403 |
|
| 404 |
I tried that. I ended up receiving vague references about how the |
| 405 |
current plan will make things "better" and how nothing needs to change. |
| 406 |
Either that or the issues were simply ignored. That to me says that the |
| 407 |
team involved isn't interested in compromise. That only leaves one |
| 408 |
course of action for me, and that is to work to kill the project. |
| 409 |
|
| 410 |
-- |
| 411 |
Chris Gianelloni |
| 412 |
Release Engineering - Strategic Lead |
| 413 |
x86 Architecture Team |
| 414 |
Games - Developer |
| 415 |
Gentoo Linux |
Archives