| 1 |
On Sun, Dec 18, 2005 at 04:52:23PM +0000, Ciaran McCreesh wrote: |
| 2 |
> On Sat, 17 Dec 2005 23:27:32 -0800 Brian Harring <ferringb@g.o> |
| 3 |
> wrote: |
| 4 |
> | To head off the "don't make features that are easily screwed up", |
| 5 |
> | this isn't one of them- this is expecting code to behave correctly |
| 6 |
> | from the path standpoint. |
| 7 |
> |
| 8 |
> Hrm, so will we be allowing spaces in package and category names too? |
| 9 |
|
| 10 |
No, due to atoms in *depend being seperated by whitespace. Wouldn't |
| 11 |
work without introducing escaping into it- beyond that the cat/pkg |
| 12 |
standard is in place already. |
| 13 |
|
| 14 |
Your repo_id however, is not, thus it's mallable. |
| 15 |
|
| 16 |
It's irrevelant either way- as I stated, your code *needs to be* space |
| 17 |
safe. Existing repo label'ing code in saviour _already_ allows spaces |
| 18 |
(it's just a fricking name), dissallowing spaces due to a concern that |
| 19 |
someone might screw up is daft. |
| 20 |
|
| 21 |
So... don't point at other things that are already set in stone and |
| 22 |
disallow spaces for their own reasons; state why it must be disallowed |
| 23 |
here, or merely state "I hate spaces". |
| 24 |
|
| 25 |
Like I said a couple of emails back, block spaces in repo_id if you |
| 26 |
like, either way the code involved has to be space safe for paths, so |
| 27 |
it's an arbitrary restriction... |
| 28 |
|
| 29 |
Dunno. Either way, path handling *must* be space safe anyways- if you |
| 30 |
restrict repo_id to lack spaces, your choice, still going to allow external |
| 31 |
aliasing of the repo_id to have spaces. |
| 32 |
|
| 33 |
|
| 34 |
> | > I don't want to introduce any signing requirements that we don't |
| 35 |
> | > have already. When signing for everything else becomes mandatory, |
| 36 |
> | > signing for news would be too. If I make this a 'must', someone |
| 37 |
> | > will ask me to specify how we're handling the Gentoo keyring... |
| 38 |
> | |
| 39 |
> | Pawn the keyring off on others. The issues isn't an established |
| 40 |
> | trust ring, it's required signing- yes, a trust ring makes things a |
| 41 |
> | helluva lot easier on the user front, but it's useless without a |
| 42 |
> | required signing policy. |
| 43 |
> | |
| 44 |
> | We've already had this conversation also btw, in the |
| 45 |
> | beginning of glep42 iirc. Obviously I don't agree |
| 46 |
> | with your reasoning "I'll do it when it's required I do it". It's |
| 47 |
> | useful now, it becomes massively more useful when a trust ring is |
| 48 |
> | available. |
| 49 |
> |
| 50 |
> Ok, how about I change it to "must", and add a note under Backwards |
| 51 |
> Compatibility along the lines of: |
| 52 |
> |
| 53 |
> At the time of writing, there is no standardised mechanism for handling |
| 54 |
> GPG signatures in Gentoo. Until such a mechanism exists, GPG signing |
| 55 |
> cannot be considered mandatory. |
| 56 |
|
| 57 |
And provisions for going back and signing everything that was _not_ |
| 58 |
signed while you delaying waiting for a keyring? |
| 59 |
|
| 60 |
That's why I'm pushing it. Mandate it as required now, keyring down |
| 61 |
the line just makes it more useful. Make it 'suggested' (which this |
| 62 |
is, you've changed nothing but words), you've left a mess that needs |
| 63 |
to be addressed when keyring comes about. |
| 64 |
|
| 65 |
Same scenario as before, think forward- force it from the get go, less |
| 66 |
crap to deal with down the line. Mandate it, no mess- just the |
| 67 |
pre-existing problem of getting a keyring collected. |
| 68 |
|
| 69 |
Delay it, keyring + going back and trying to get folk to re-sign their |
| 70 |
releases. That and any unsigned material released during that period |
| 71 |
cannot be verified, because we're waiting for a keyring. |
| 72 |
|
| 73 |
See the gains? Might be unpalatable, but it is the path of least work |
| 74 |
long term. |
| 75 |
|
| 76 |
|
| 77 |
> Ok, how's this? |
| 78 |
> |
| 79 |
> ``Revision:`` |
| 80 |
> Initially 1. Should be incremented every time a change is made to |
| 81 |
> the news item. Changes that require a re-read of the news item (for |
| 82 |
> example, most changes that are not spelling or formatting related) |
| 83 |
> should instead use a new news item. Mandatory. |
| 84 |
|
| 85 |
Works, thank you. |
| 86 |
|
| 87 |
|
| 88 |
> | > | This isn't incredibly useful if ranged versions are ever |
| 89 |
> | > | introduced. Ammending the glep for that seems stupid, looser |
| 90 |
> | > | language might be wise. |
| 91 |
> | > |
| 92 |
> | > What's the syntax for ranged versions? And how do they differ from |
| 93 |
> | > SLOT versions? |
| 94 |
> | |
| 95 |
> | >=kde-base/kde-libs-3.0 <=kde-base/kde-libs-4.0 |
| 96 |
> | |
| 97 |
> | It's not syntax as much as a boolean and of atoms. |
| 98 |
> |
| 99 |
> Hrm, ok. Wouldn't this resolve as true if you have kde-libs-2.0 and |
| 100 |
> kde-libs-5.0 installed (assuming SLOTted kde-libs)? |
| 101 |
|
| 102 |
Note I said boolean and. Resolution of that string *should* result |
| 103 |
in 3-4 via portage processing of it; doesn't handle it perfectly, but |
| 104 |
the reason I brought it up is that via limiting it to a single atom, |
| 105 |
you block (if/when) ranged versions. |
| 106 |
|
| 107 |
|
| 108 |
> | Any signed item would need to be verified also, although fortunately |
| 109 |
> | this chunk can be done in parallel to regen run. |
| 110 |
> |
| 111 |
> Hrm, is signing verification done for tree items? |
| 112 |
|
| 113 |
*If* a component was fully signed, verification prior to dissemination |
| 114 |
should occur. Reliant on a keyring to automate it however, plus some |
| 115 |
voodoo to make as much as possible go in parallel (so as not to |
| 116 |
overrun the window). |
| 117 |
|
| 118 |
|
| 119 |
> | > | You haven't stated how the 'package manager' will trigger the |
| 120 |
> | > | user's reader of choice for these targets. Should also extend |
| 121 |
> | > | this to allow a way to disable any news notices, lest someone's |
| 122 |
> | > | cronjob get hung displaying news (feature or not, it's needed). |
| 123 |
> | > |
| 124 |
> | > The same way the package manager handles updating config files: it |
| 125 |
> | > won't. It'll just tell the user that some news items need reading. |
| 126 |
> | |
| 127 |
> | And you'll personally handle all of the bug spam from feature |
| 128 |
> | requests that --ask trigger $news_reader? |
| 129 |
> | |
| 130 |
> | It's a logical extension, thus people will ask for it. |
| 131 |
> |
| 132 |
> What does emerge --ask do currently for config files? |
| 133 |
|
| 134 |
see email responding to marius about why etc-update and friends aren't |
| 135 |
the best example... |
| 136 |
|
| 137 |
Personally, I'm not much for triggering the news reader, but I'd |
| 138 |
expect folks will want a way to trigger the user's preferred reader. |
| 139 |
That's the crux of this question- you've bound this cruft into |
| 140 |
eselect, would assume there is a way to trigger the default reader |
| 141 |
(guessing at least). |
| 142 |
|
| 143 |
If there is some way to trigger whatever the default news reader is, |
| 144 |
then the --ask cruft can be ignored; just asking about something as |
| 145 |
simple as a symlink, so if the request comes up (it will, imo), it's |
| 146 |
doable rather then trying to go and modify the existing clients to |
| 147 |
support it. |
| 148 |
|
| 149 |
</ramble> |
| 150 |
|
| 151 |
~harring |
Archives