1 |
On Fri, 2006-06-09 at 19:41 +0200, Patrick Lauer wrote: |
2 |
> > This *will* affect *every* ebuild developer. |
3 |
> Maybe you don't realize that taking ebuilds for packages that are _not in portage_ and providing them in a nice bundle does not affect every developer? |
4 |
|
5 |
I'm sorry for the language, but I call bullshit. It is painfully |
6 |
obvious by your response that you've never had a library that is an |
7 |
optional dependency (and one we don't --without durng configure, since |
8 |
it isn't in the tree) cause a problem in one of your packages. Allowing |
9 |
libraries means it can cause breakage. Period. |
10 |
|
11 |
> Noone wants to push a new cvs-snapshot of glibc. That so not the point |
12 |
> here. |
13 |
|
14 |
Nobody ever said that you have to push a new glibc to cause mass |
15 |
breakage. |
16 |
|
17 |
> But having a controlled managed overlay with ebuilds that are now spread |
18 |
> all across bugzilla ... that would be a good service to our users. |
19 |
|
20 |
Since when was overlays.gentoo.org supposed to even be a service to our |
21 |
users? As I understand it, the goal was to ease development, not to |
22 |
provide an easy method for half-working ebuilds to make it to our user's |
23 |
machines. |
24 |
|
25 |
> > This means it *CANNOT* be left up to a small group of developers to |
26 |
> > decide without any discussion on the matter. |
27 |
> So now we're a democracy where everything needs to be voted upon? |
28 |
|
29 |
Anything this abhorrently stupid doesn't need a vote. It should be cast |
30 |
out on its complete lack of merit, alone. Also, at no point did I ever |
31 |
ask for a vote. Don't put words in my mouth and I'll try to pretend |
32 |
like I care what you say, OK? |
33 |
|
34 |
> *sigh* |
35 |
> Let's leave that debate for another day ... |
36 |
|
37 |
You brought it up, not I. Feel free to debate it with yourself until |
38 |
you're blue in the face. |
39 |
|
40 |
> > > Yes, now it is easier to check out the ebuilds. More users ==> better |
41 |
> > > testing. |
42 |
> > |
43 |
> > Except that now the developer has to do much more work to get the same |
44 |
> > information, making it even less likely that he'll bother to pick up one |
45 |
> > of these maintainer-wanted bugs. |
46 |
> s/the developer/I/ |
47 |
|
48 |
You're right... I had that wrong. |
49 |
|
50 |
s/the developer/the developers/ |
51 |
|
52 |
After all, there have been quite a number of people agreeing with me. |
53 |
|
54 |
> there are some devs that would prefer this overlay environment. |
55 |
> Please don't push your personal preferences as The Right Way (tm) |
56 |
|
57 |
Ehh. Were you an ebuild developer, your opinion might actually count |
58 |
for something when it comes to an ebuild development discussion. By the |
59 |
way, where's the GWN this week? |
60 |
|
61 |
> > You also completely gloss over the |
62 |
> > ability of a single rogue user to now compromise countless users with a |
63 |
> > single commit. |
64 |
> And an ebuild on bugzilla has more security? |
65 |
|
66 |
Nope. However, I'm also not proposing that ebuilds from bugzilla |
67 |
automatically get pulled in over some magical overlay that is supposed |
68 |
to fix all of the problems Gentoo's ever had with unmaintained packages. |
69 |
|
70 |
> We're just making it easier to use these ebuilds. Also I expect the |
71 |
> maintainers to keep a reasonable quality standard. |
72 |
|
73 |
I'm glad your faith in them is so high. My faith in *any* group this |
74 |
small having the ability to watch over a large number of outside |
75 |
contributors simply isn't there. |
76 |
|
77 |
> > Please come back once you've firmly grounded yourself in |
78 |
> > the reality that we're a pretty popular distribution, and that makes |
79 |
> > this project a prime target for malicious abuse. Perhaps if you were |
80 |
> > responsible for some ebuilds, you've be more cognizant of the |
81 |
> > implications that a bad commit can cause our users. |
82 |
> I am not responsible for ebuilds because I don't trust myself enough :-) |
83 |
|
84 |
That's great. I don't trust you enough, either. ;] |
85 |
|
86 |
> That doesn't stop me from giving out access to my server to anyone who |
87 |
> has a good reason ... like the Gentoo/HURD repository or the Java |
88 |
> overlay. |
89 |
|
90 |
Well, we thank you for your immense self-sacrifice. What this has to do |
91 |
with the topic at hand, I have no idea. |
92 |
|
93 |
> > > That differs from the 20 or so overlays maintained by users how? |
94 |
> > |
95 |
> > Let's see. They aren't on Gentoo infrastructure, which means they don't |
96 |
> > give off any immediate assumption of being "official" or "supported" in |
97 |
> > any way. Hell, go back and look at Peter's response about how he would |
98 |
> > use an overlay such as this only *because* it is on Gentoo |
99 |
> > infrastructure. |
100 |
> > |
101 |
> > So what exactly was your counter-point again? |
102 |
> We have control over sunrise. And hey, if it sucks kill the project with silver bullets, a stake to the heart and two pounds of garlic. |
103 |
|
104 |
I'm locked and loaded. |
105 |
|
106 |
> Just don't kill an idea before it is even tested ... |
107 |
|
108 |
Why not? What reason is there to stop me from aborting this brain-dead |
109 |
monstrosity before it claims a single user casualty, let alone our |
110 |
reputation? I would have thought that your involvement in "PR" would |
111 |
have you thinking better. A reputation is something that takes years to |
112 |
establish, and seconds to demolish. You, of all people, should know |
113 |
that. |
114 |
|
115 |
> > Having an overlay such as this will tarnish Gentoo's reputation. |
116 |
> No :-) |
117 |
> What reputation are we talking about? The distro that lags in updates |
118 |
> behind others? |
119 |
|
120 |
Yes, we are *so* lagged behind everyone else. Where do you come up with |
121 |
these "facts" anyway? I'd like to visit this mythical land. |
122 |
|
123 |
> Where you see a problem I see potential: More well-tested ebuilds, |
124 |
> recruiting potential developers ... if you don't want that you're an |
125 |
> elitist bastard. ;-) |
126 |
|
127 |
Aww, how sweet. We've started the name calling. |
128 |
|
129 |
I'm sorry, but having a general dumping ground for all of the crap that |
130 |
nobody found useful enough to actually include into Gentoo doesn't sound |
131 |
like the paradise that you're making it out to be. Luckily, I'm finding |
132 |
that I'm not alone in this, and that quite a few developers are backing |
133 |
me on this one. We're not blind to the problems with this project in |
134 |
its implementation, management, and intended goals. Perhaps you should |
135 |
open your eyes and seriously look at what you're pushing as a solution? |
136 |
|
137 |
> > We |
138 |
> > should not be providing *anything* that is only half-supported or |
139 |
> > half-tested. Anything less than being sully supported via the security |
140 |
> > team and QA is a failure on the part of Gentoo. We have enough *crap* |
141 |
> > in the *tree* that is unsupported, which makes us look bad, yet you want |
142 |
> > to insist on supporting a project that affects all of the ebuild |
143 |
> > developers, which you have not mentioned is a group which you are not a |
144 |
> > part of, so can gladly speak of increasing their workload with no |
145 |
> > consequences to yourself, and provides an avenue for low-quality or |
146 |
> > possibly malicious ebuilds to be distributed to our users, all under a |
147 |
> > Gentoo banner? |
148 |
> No :-) |
149 |
> 1) It doesn't increase your workload - these packages are things that |
150 |
> are _not_ in the main tree. |
151 |
|
152 |
I'm sorry, so your answer to this point is to just say that it is wrong |
153 |
with absolutely no data to back it up. Sounds about par for the course |
154 |
from this project's proponents. I've shown many examples where this |
155 |
*could* and *would* adversely affect developer workload for developers |
156 |
in the main tree. You are unable to refute it, so you simply state it |
157 |
isn't true with absolutely no way to substantiate your claims. |
158 |
|
159 |
> No overlap --> no stupid bugs with overwritten ebuilds etc. |
160 |
|
161 |
Hahahahaha! |
162 |
|
163 |
Misdirection at its finest. So tell me, where do I learn this valuable |
164 |
skill of completely avoiding the truth and pretending to be blind to |
165 |
facts. It sure must come in handy. |
166 |
|
167 |
> 2) low-quality? I might mention that I'm hosting some overlays that have |
168 |
> non-gentoo contributors (*gasp!*) |
169 |
|
170 |
Sure. Overlays that are run by Gentoo developers with a specific |
171 |
project in mind, where the project is also the maintainers of the |
172 |
similar packages in the tree, are intimately familiar with the packages, |
173 |
and are also responsible for all the bugs regarding them. Did you have |
174 |
a point, other than to help reiterate what I have said over and over |
175 |
again? You're starting to help my case as much as Jakub. |
176 |
|
177 |
> Why are they hosted on my server? Because the contributors are not (yet) |
178 |
> gentoo devs, but provide good to excellent input to the projects. So now |
179 |
> you tell me that I'm doing wrong in helping Gentoo development? These |
180 |
> people can't contribute to other gentoo-hosted projects, so it is easier |
181 |
> to move the repositories to a more liberal server. |
182 |
|
183 |
No. They're on your server because we had no facility for them to be |
184 |
placed on our infrastructure. They could all easily be moved now and |
185 |
would be well within the parameters for the overlays project. However, |
186 |
project sunshine flies directly in the face of those parameters, and |
187 |
should be killed before it is allowed to harm Gentoo. |
188 |
|
189 |
> That tells me that Gentoo development is fundamentally buggy when we |
190 |
> complain about a lack of manpower and then say "yeah, but not _that_ |
191 |
> kind of manpower" when users try to help. |
192 |
|
193 |
Except nobody says "Hey, I'd like it if users would start adding more |
194 |
stuff to an overlay that isn't maintained by any Gentoo developers so I |
195 |
can get more bugs that don't have anything to do with the official |
196 |
Gentoo repository. That would be swell." |
197 |
|
198 |
Asking for help where help is actually needed is one thing. Creating a |
199 |
project to dump all of the useless shit and try to pass it off as |
200 |
"helping" development is another. |
201 |
|
202 |
> <cynic> |
203 |
> And people wonder why usually things get done secretly and then |
204 |
> presented as a finished product - no wonder, it seems to be the only way |
205 |
> to get _anything_ done. |
206 |
> </cynic> |
207 |
|
208 |
Perhaps because stupid ideas such as this should never see the light of |
209 |
day and would be shot down by anyone sensible enough to look at it on |
210 |
its actual merit versus some hair-brained concept of how important they |
211 |
are and how much this will "help" development? |
212 |
|
213 |
> > I seriously question your motives towards the Gentoo project. |
214 |
> Good. Question them. I'm still doing what I can to help ... doing such silly things as finding new servers for Infra and writing articles for the GWN. |
215 |
|
216 |
Really? Which servers? Which articles? |
217 |
|
218 |
> If that isn't good enough ... well ... who cares. You invest as much as |
219 |
> I do in your own server for Gentoo usage and I'll not question _your_ |
220 |
> motives. |
221 |
|
222 |
Like the hardware I've donated on multiple occasions? Or the hours and |
223 |
hours I spend working on Gentoo's actual products? How about the hours |
224 |
spent running the Gentoo Store, that actually brings in money for |
225 |
Gentoo? |
226 |
|
227 |
Spending a few dollars doesn't make you anything more than a monetary |
228 |
contributor. It doesn't buy you any respect. It doesn't buy you |
229 |
anything. |
230 |
|
231 |
> Remember that "Gentoo is all about choice" discussion that pops up every |
232 |
> now and then? |
233 |
|
234 |
Yeah, I remember it. I also remember that only idiots continue to tout |
235 |
that party line as some kind of backing for every stupid and |
236 |
hair-brained idea that should never see the light of day. Are you |
237 |
really trying to use that as an argument for why something that can be |
238 |
shown to be a bad idea should be done? |
239 |
|
240 |
How about instead actually answering the issues that have been |
241 |
presented? |
242 |
|
243 |
> If a motivated group of devs wants to try an overlay experiment you |
244 |
> should let them try. Worst case it's a failure and gets punted after two |
245 |
> months. |
246 |
|
247 |
No. The worst case scenario is some gets some malicious code in the |
248 |
overlay and countless Gentoo boxes around the world get owned, Gentoo |
249 |
catches the brunt of the backlash, and the distribution starts losing |
250 |
users left and right and ends up dying out simply because a few selfish |
251 |
developers couldn't be bothered to actually take into account what other |
252 |
developers are telling them and decided to go forward with a stupid |
253 |
idea. Of course, I'm probably an optimist and much worse could probably |
254 |
happen. |
255 |
|
256 |
> > Wow. Another one of those "I can't answer your issue, so I'll just try |
257 |
> > to divert your attention somewhere else" answers. Thanks for absolutely |
258 |
> > nothing but contributing noise. |
259 |
> You know, I've met you at FOSDEM and I know that you don't mean this as an insult, but it is very easy to misread it as that. |
260 |
> Might I suggest that you don't formulate responses in a way that can |
261 |
> easily be read as a personal attack? |
262 |
|
263 |
Might I suggest you actually answer a damn question instead of using |
264 |
redirection and vague promises as some sort of quasi-argument? |
265 |
|
266 |
> > > > Wouldn't this process be *infinitely* easier if instead of "sunrise" |
267 |
> > > > there was a "pam" overlay with *only* the pam stuff? |
268 |
> > > Ooooh, cool. Now I need about 75 overlays to get things done, and of course there will be no bad interaction between them ;-) |
269 |
> > As opposed to the free for all that is this overlay? |
270 |
> It's easier to manage one big overlay - at least that seems to be the motivation for doing it. |
271 |
|
272 |
How exactly is it easier to manage a large number of ebuilds versus a |
273 |
small number? |
274 |
|
275 |
> And if we're all mistaken we at least learn a valuable lesson. |
276 |
|
277 |
Yes, that a small group of people shouldn't be allowed to make decisions |
278 |
for the whole and not take into account any of the cons in their ideas, |
279 |
instead plodding forwards as if there were no objections to their ideas. |
280 |
|
281 |
> > > ... and if we control the overlay we can exclude things like system |
282 |
> > > packages easily. |
283 |
> > |
284 |
> > You really do a good job of making attempts to skirt the issues. Do me |
285 |
> > a favor, if you're just going to use vague references and try to avoid |
286 |
> > answering the issues at hand, don't bother wasting everyone's time by |
287 |
> > replying. You're more than welcome to provide some *useful* insight, |
288 |
> > but simply stating that something won't be an issue doesn't make it |
289 |
> > true. |
290 |
> And you are trying your best to make me look like an ass. Please stop |
291 |
> doing that, it makes discussion really hard. Keep to technical issues. |
292 |
|
293 |
Quit averting the issues when they are brought up. |
294 |
|
295 |
> The issue is: This overlay will _not_ contain BreakMyGentoo-style |
296 |
> ebuilds of new versions of things in portage. There won't be a glibc cvs |
297 |
> snapshot. Just ebuilds that for now live in bugzilla and are hard to |
298 |
> find. We wish to provide them in an easy-to-use package to our users. |
299 |
|
300 |
This overlay *will* allow libraries that could inadvertently affect any |
301 |
number of packages in the Gentoo repository. |
302 |
|
303 |
This overlay *will* allow commits from anyone that requests it and has a |
304 |
half-way decent ebuild in bugzilla, without doing any of the |
305 |
trust-building that is normally required for someone to have commit |
306 |
access to a Gentoo resource. |
307 |
|
308 |
This overlay *will* not be monitored by any of the Gentoo security |
309 |
project, yet will be an official repository of ebuilds coming from |
310 |
Gentoo and hosted on Gentoo infrastructure. |
311 |
|
312 |
> You know ... users. Those people that are not devs. Some of us try to |
313 |
> give them the best experience we can, and if there is something like an |
314 |
> overlay that even the more n00bish users can use we should try to |
315 |
> provide it. |
316 |
|
317 |
Huh? You mean the ones that expect us, as developers, to have their |
318 |
best interests in mind and to not allow poor-quality and potentially |
319 |
hazardous ebuilds to hit their machines? The same ones that trust us |
320 |
with the stability of their machines? The same ones that choose Gentoo |
321 |
because we're the best, not because we have some dumping ground of |
322 |
barely-wanted packages? Yeah, those users... |
323 |
|
324 |
> > > And again, one svn repo vs. 113 hard-to-find bugs ... |
325 |
> > Amazing how you pull such numbers out of thin air. |
326 |
> It's a special talent. 47 <-- just for you |
327 |
|
328 |
Ahh, so you're lying. Thanks for pointing that out. It definitely |
329 |
helps. |
330 |
|
331 |
> > Which 113 bugs are you talking about, exactly? |
332 |
> Try to find the relevant files in the three bugs jakub posted. |
333 |
> Now try that for multiple packages ... Most users won't need to harvest |
334 |
> 113 bugs, but I'd prefer a "svn up". It's just so much saner and less |
335 |
> work that it is hard for me to see how bugzilla even makes sense. |
336 |
|
337 |
So you don't have a list of 113 bugs, but instead go on to speak of your |
338 |
preference to svn up. |
339 |
|
340 |
Now, I'm going to make this plain and simple. This is you avoiding the |
341 |
question that was presented to you. |
342 |
|
343 |
> > Isn't that what the process of becoming a developer is supposed to |
344 |
> > build? |
345 |
> That process that many people consider too complicated and |
346 |
> time-consuming? |
347 |
|
348 |
Yes. That *exact* process that weeds out the people that honestly want |
349 |
to be a part of Gentoo and those that casually want to contribute. |
350 |
|
351 |
> Not everyone wants to spend 20h a week on Gentoo. Some people just want |
352 |
> to maintain their personal app for Gentoo. In some cases we already have |
353 |
> proxy-maintainers, so I don't see why we should not try to find more |
354 |
> motivated smart users to help. |
355 |
|
356 |
Great. Why do they need an overlay to do their job? The funny thing is |
357 |
that nobody has answered this question. All that anyone has done is |
358 |
given some vague references or promises about how it'll be "better" |
359 |
having an overlay with nothing to back it up. However, I've been able |
360 |
to show quite a few ways in which this overlay will hurt Gentoo. There |
361 |
have also been comments from other developers, and users, that have been |
362 |
all but ignored. I guess it is hard to respond to something when you |
363 |
have no way to refute it, but I digress. |
364 |
|
365 |
> > Also, just because I trust one person, doesn't mean I trust |
366 |
> > someone that you trust. Trust is not implicit, it is earned. |
367 |
> That's why most Gentoo devs can have an account on my server. Except |
368 |
> those that have told me directly that they don't like me :-) |
369 |
|
370 |
Again, you decide to point out something that is only somewhat related |
371 |
and try to use it as a proving point for your position, when it really |
372 |
bares no real relevance. What exactly does trusting developers, which |
373 |
have been members of the community for some time and have proven |
374 |
themselves, have to do with trusting a random set of users? |
375 |
|
376 |
> > Some |
377 |
> > random user having complete access to an area where only people that *I* |
378 |
> > trust should really have access is not instilling faith in me of this |
379 |
> > project. However, instead of answering these concerns, you simply brush |
380 |
> > them aside as a non-issue, though I am not the only developer that has |
381 |
> > spoken out on this *exact* same issue. |
382 |
> The difference between a random user and a dev often is not much more |
383 |
> than an @gentoo.org email adress. I don't consider all users |
384 |
> untrustworthy - if they show that they wish to help we should not |
385 |
> sabotage them. Maybe you don't remember the time when you were "just" a |
386 |
> user? |
387 |
|
388 |
I don't consider all users untrustworthy. Never once have I said that. |
389 |
This is another attempt to try to put words into my mouth so that you |
390 |
can hit home your own ideas, which aren't even relevant, since I didn't |
391 |
*say* what you're responding to. Remember what I said, and that you |
392 |
agreed to. Trust is earned. |
393 |
|
394 |
> If someone wanted to exploit boxen he'd use a much simpler attack |
395 |
> vector ... our rsync mirrors are wide open. No need to secure the little |
396 |
> window over there when the front door is open ... |
397 |
|
398 |
Really? I'd like you to give me root on rsync.gentoo.org, then. What's |
399 |
that? You can't? What a wonder! |
400 |
|
401 |
> Instead of trying to kill this idea you should try to get it modified |
402 |
> into something we all can agree on. |
403 |
|
404 |
I tried that. I ended up receiving vague references about how the |
405 |
current plan will make things "better" and how nothing needs to change. |
406 |
Either that or the issues were simply ignored. That to me says that the |
407 |
team involved isn't interested in compromise. That only leaves one |
408 |
course of action for me, and that is to work to kill the project. |
409 |
|
410 |
-- |
411 |
Chris Gianelloni |
412 |
Release Engineering - Strategic Lead |
413 |
x86 Architecture Team |
414 |
Games - Developer |
415 |
Gentoo Linux |