1 |
On Fri, 2006-06-09 at 10:28 +0200, Patrick Lauer wrote: |
2 |
> On Thu, 2006-06-08 at 20:06 -0400, Chris Gianelloni wrote: |
3 |
> > > You don't need a subversion client, you perhaps notice the http in front |
4 |
> > > of the url.. just open it up in your browser and you get the source |
5 |
> > > immediately. |
6 |
> > |
7 |
> > Umm... so now I need to go and instead of clicking a nice link in |
8 |
> > bugzilla, trawl through the subversion repository and find what I'm |
9 |
> > looking for? How exactly is downloading things via http any different |
10 |
> > than downloading them from bugzilla, which is also http? |
11 |
> just my point of view - |
12 |
> |
13 |
> bugzilla sucks. Ever had to download 10 attachments for one ebuild? |
14 |
> It is a good tool for discussion, but I would prefer a simple tool (like |
15 |
> layman) that can automatically update things. You obviously don't like |
16 |
> overlays, but that shouldn't be a reason to stop us from using it. |
17 |
|
18 |
Well, I thank you for your vast experience as an ebuild developer in |
19 |
this matter. |
20 |
|
21 |
You do realize that this isn't one of those things where you can say |
22 |
that if you don't like it you don't have to use it, right? |
23 |
|
24 |
This *will* affect *every* ebuild developer. |
25 |
|
26 |
This means it *CANNOT* be left up to a small group of developers to |
27 |
decide without any discussion on the matter. |
28 |
|
29 |
> > > Or, if you want some history like sources.g.o, you can do so as well here: |
30 |
> > > http://overlays.gentoo.org/proj/sunrise/browser/ |
31 |
> > |
32 |
> > Excellent. So we're moving the history from being in a single location |
33 |
> > (the bug) to being in multiple locations. That will definitely improve |
34 |
> > the development process. |
35 |
> Yes, now it is easier to check out the ebuilds. More users ==> better |
36 |
> testing. |
37 |
|
38 |
Except that now the developer has to do much more work to get the same |
39 |
information, making it even less likely that he'll bother to pick up one |
40 |
of these maintainer-wanted bugs. You also completely gloss over the |
41 |
ability of a single rogue user to now compromise countless users with a |
42 |
single commit. Please come back once you've firmly grounded yourself in |
43 |
the reality that we're a pretty popular distribution, and that makes |
44 |
this project a prime target for malicious abuse. Perhaps if you were |
45 |
responsible for some ebuilds, you've be more cognizant of the |
46 |
implications that a bad commit can cause our users. |
47 |
|
48 |
> > No offense, but everything I have seen looks |
49 |
> > as if it will add even *more* overhead to actually getting packages into |
50 |
> > the tree. The only thing this seems to provide is a half-baked |
51 |
> > repository for the users to get marginally-tested ebuilds for software |
52 |
> > that wasn't interesting enough for inclusion in the tree. |
53 |
> That differs from the 20 or so overlays maintained by users how? |
54 |
|
55 |
Let's see. They aren't on Gentoo infrastructure, which means they don't |
56 |
give off any immediate assumption of being "official" or "supported" in |
57 |
any way. Hell, go back and look at Peter's response about how he would |
58 |
use an overlay such as this only *because* it is on Gentoo |
59 |
infrastructure. |
60 |
|
61 |
So what exactly was your counter-point again? |
62 |
|
63 |
> Honestly I'd prefer an overlay where I can marginally trust the content |
64 |
> over a "foreign" repository maintained by people I don't know. |
65 |
|
66 |
Having an overlay such as this will tarnish Gentoo's reputation. We |
67 |
should not be providing *anything* that is only half-supported or |
68 |
half-tested. Anything less than being sully supported via the security |
69 |
team and QA is a failure on the part of Gentoo. We have enough *crap* |
70 |
in the *tree* that is unsupported, which makes us look bad, yet you want |
71 |
to insist on supporting a project that affects all of the ebuild |
72 |
developers, which you have not mentioned is a group which you are not a |
73 |
part of, so can gladly speak of increasing their workload with no |
74 |
consequences to yourself, and provides an avenue for low-quality or |
75 |
possibly malicious ebuilds to be distributed to our users, all under a |
76 |
Gentoo banner? |
77 |
|
78 |
I seriously question your motives towards the Gentoo project. |
79 |
|
80 |
> Hmmm ... bugzilla. |
81 |
> Instead of a simple cvs up; cd /usr/local/portage/category/package I |
82 |
> need to search for ALL bugs with $name in it, look which one it is, |
83 |
> curse bugzilla for falling asleep again, see which attachments are |
84 |
> relevant, download them, curse bugzilla for falling asleep again, copy |
85 |
> them to my overlay, read the bugcomments to see if any special renaming |
86 |
> or directory structure is needed ... |
87 |
> |
88 |
> Hmmm. I think an overlay does have some advantages there ... |
89 |
|
90 |
Sure. Until I sneak in some obfuscated code as a "fix" to a "bug" and |
91 |
it gets executed on your machine because the actual *developers* that |
92 |
are used to maintaining this stuff and know what to look for aren't a |
93 |
part of the process. |
94 |
|
95 |
Making something easier does not make it better. I'm sorry, but you've |
96 |
yet to convince me on how your laziness is supposed to be an improvement |
97 |
for the development process of Gentoo. |
98 |
|
99 |
> > Again, read what I wrote. I said that the developer would see "sunrise" |
100 |
> > in the PORTDIR_OVERLAY of the user's emerge --info, which you reiterated |
101 |
> > without considering. This is a login bug. At no point did they make |
102 |
> > mention of having installed pam_skey from this overlay. This means that |
103 |
> > I, as the developer getting this bug, am now responsible for looking at |
104 |
> > *every package* in the sunrise overlay to determine if *any* of them |
105 |
> > could *possibly* be affecting this package or causing this bug, then |
106 |
> > asking the user if they have any of them installed. |
107 |
> This differs from a manually patched ebuild in /usr/portage by virtue of showing you that an overlay is used ... |
108 |
|
109 |
Wow. Another one of those "I can't answer your issue, so I'll just try |
110 |
to divert your attention somewhere else" answers. Thanks for absolutely |
111 |
nothing but contributing noise. |
112 |
|
113 |
> > Wouldn't this process be *infinitely* easier if instead of "sunrise" |
114 |
> > there was a "pam" overlay with *only* the pam stuff? |
115 |
> Ooooh, cool. Now I need about 75 overlays to get things done, and of course there will be no bad interaction between them ;-) |
116 |
|
117 |
As opposed to the free for all that is this overlay? |
118 |
|
119 |
> Having one overlay with a focus on not-in-portage ebuilds should not |
120 |
> cause the scenario you described and will most likely cause less weird |
121 |
> bugs because of intra-overlay dependencies. |
122 |
|
123 |
What evidence do you have of this? |
124 |
|
125 |
> </opinion> |
126 |
|
127 |
Oh, right. None. |
128 |
|
129 |
> > That is *exactly* what we get with the other overlays like php and |
130 |
> > vmware. I *know* that if I'm looking at a glibc bug and the user has |
131 |
> > "php" as an overlay, that it isn't going to be a concern. |
132 |
> ... and if we control the overlay we can exclude things like system |
133 |
> packages easily. |
134 |
|
135 |
You really do a good job of making attempts to skirt the issues. Do me |
136 |
a favor, if you're just going to use vague references and try to avoid |
137 |
answering the issues at hand, don't bother wasting everyone's time by |
138 |
replying. You're more than welcome to provide some *useful* insight, |
139 |
but simply stating that something won't be an issue doesn't make it |
140 |
true. |
141 |
|
142 |
> Could be part of the policy to not touch existing ebuilds. |
143 |
|
144 |
Actually, it already is, according to jokey. |
145 |
|
146 |
> > This is a prime example of totally glossing over any discussion to make |
147 |
> > it sound promising for you. |
148 |
> If bugzilla wasn't so sucky people wouldn't try to use other methods of |
149 |
> communication ;-) |
150 |
|
151 |
Except this isn't another form of communication, nor is it being |
152 |
presented as one. Do you even bother to notice what you're writing? |
153 |
How exactly is a bunch of ebuilds in an overlay a "method of |
154 |
communication"? |
155 |
|
156 |
> And again, one svn repo vs. 113 hard-to-find bugs ... |
157 |
|
158 |
Amazing how you pull such numbers out of thin air. Which 113 bugs are |
159 |
you talking about, exactly? |
160 |
|
161 |
> > Even better, if I am the proxy |
162 |
> > maintainer for a particular set of ebuilds for one or more |
163 |
> > user/maintainers, why do I need it in your big, bloated, and completely |
164 |
> > inappropriately-named "sunshine" overlay versus a developer overlay of |
165 |
> > my own? |
166 |
> You don't. Please use your developer overlay. Please don't try to take |
167 |
> away our more open overlay. |
168 |
|
169 |
Unfortunately, your request for my dropping of this issue will not be |
170 |
honoured. This overlay is a bad idea, that is being poorly executed, |
171 |
and is being *forced* on the developer community at large with |
172 |
absolutely no for-warning or planning. It really is a shame that we |
173 |
don't have any policies that allow for action to be taken against people |
174 |
who either knowingly, or through actions of ignorance, cause massive |
175 |
damage to Gentoo such as this. |
176 |
|
177 |
> > After all, I am the *only* proxy maintainer. Why should there |
178 |
> > be the added *insecurity* of allowing any number of people that *I* |
179 |
> > might not trust complete access to the small number of packages where I |
180 |
> > am the proxy? |
181 |
> It's your choice. Either you get mailbombed with each minor version update or you trust them to not screw up with the sunrise overlay. |
182 |
|
183 |
Isn't that what the process of becoming a developer is supposed to |
184 |
build? Also, just because I trust one person, doesn't mean I trust |
185 |
someone that you trust. Trust is not implicit, it is earned. Some |
186 |
random user having complete access to an area where only people that *I* |
187 |
trust should really have access is not instilling faith in me of this |
188 |
project. However, instead of answering these concerns, you simply brush |
189 |
them aside as a non-issue, though I am not the only developer that has |
190 |
spoken out on this *exact* same issue. |
191 |
|
192 |
> And the users could just create their own overlay, get it added to |
193 |
> layman and we'd have the same without supervision. From where I'm |
194 |
> standing it's better to have the possibility to nuke a bad ebuild in the |
195 |
> overlay instead of asking some random user to change this in that |
196 |
> overlay because of $problem. |
197 |
|
198 |
Why exactly are we supporting these overlays via layman anyway? That |
199 |
implies a level of trust and support that you admit we do not have. I |
200 |
guess I should touch on that subject next, but that doesn't belong in |
201 |
this discussion. |
202 |
|
203 |
> Maybe we even find some motivated new ebuild monkeys that have the |
204 |
> motivation to become devs ... one can always hope :-) |
205 |
|
206 |
...and maybe we get owned and people quit using Gentoo because a few |
207 |
developers decided to go against the advice of other developers and |
208 |
allowed for an easy-access, easily-exploitable way for some malicious |
209 |
user to own countless Gentoo boxes, and nobody did anything to stop it. |
210 |
|
211 |
Well, I am going to do everything within my power to stop it. I will |
212 |
not back down until this project is dead. It really is that simple. |
213 |
|
214 |
-- |
215 |
Chris Gianelloni |
216 |
Release Engineering - Strategic Lead |
217 |
x86 Architecture Team |
218 |
Games - Developer |
219 |
Gentoo Linux |