| 1 |
On Fri, 2006-06-09 at 10:28 +0200, Patrick Lauer wrote: |
| 2 |
> On Thu, 2006-06-08 at 20:06 -0400, Chris Gianelloni wrote: |
| 3 |
> > > You don't need a subversion client, you perhaps notice the http in front |
| 4 |
> > > of the url.. just open it up in your browser and you get the source |
| 5 |
> > > immediately. |
| 6 |
> > |
| 7 |
> > Umm... so now I need to go and instead of clicking a nice link in |
| 8 |
> > bugzilla, trawl through the subversion repository and find what I'm |
| 9 |
> > looking for? How exactly is downloading things via http any different |
| 10 |
> > than downloading them from bugzilla, which is also http? |
| 11 |
> just my point of view - |
| 12 |
> |
| 13 |
> bugzilla sucks. Ever had to download 10 attachments for one ebuild? |
| 14 |
> It is a good tool for discussion, but I would prefer a simple tool (like |
| 15 |
> layman) that can automatically update things. You obviously don't like |
| 16 |
> overlays, but that shouldn't be a reason to stop us from using it. |
| 17 |
|
| 18 |
Well, I thank you for your vast experience as an ebuild developer in |
| 19 |
this matter. |
| 20 |
|
| 21 |
You do realize that this isn't one of those things where you can say |
| 22 |
that if you don't like it you don't have to use it, right? |
| 23 |
|
| 24 |
This *will* affect *every* ebuild developer. |
| 25 |
|
| 26 |
This means it *CANNOT* be left up to a small group of developers to |
| 27 |
decide without any discussion on the matter. |
| 28 |
|
| 29 |
> > > Or, if you want some history like sources.g.o, you can do so as well here: |
| 30 |
> > > http://overlays.gentoo.org/proj/sunrise/browser/ |
| 31 |
> > |
| 32 |
> > Excellent. So we're moving the history from being in a single location |
| 33 |
> > (the bug) to being in multiple locations. That will definitely improve |
| 34 |
> > the development process. |
| 35 |
> Yes, now it is easier to check out the ebuilds. More users ==> better |
| 36 |
> testing. |
| 37 |
|
| 38 |
Except that now the developer has to do much more work to get the same |
| 39 |
information, making it even less likely that he'll bother to pick up one |
| 40 |
of these maintainer-wanted bugs. You also completely gloss over the |
| 41 |
ability of a single rogue user to now compromise countless users with a |
| 42 |
single commit. Please come back once you've firmly grounded yourself in |
| 43 |
the reality that we're a pretty popular distribution, and that makes |
| 44 |
this project a prime target for malicious abuse. Perhaps if you were |
| 45 |
responsible for some ebuilds, you've be more cognizant of the |
| 46 |
implications that a bad commit can cause our users. |
| 47 |
|
| 48 |
> > No offense, but everything I have seen looks |
| 49 |
> > as if it will add even *more* overhead to actually getting packages into |
| 50 |
> > the tree. The only thing this seems to provide is a half-baked |
| 51 |
> > repository for the users to get marginally-tested ebuilds for software |
| 52 |
> > that wasn't interesting enough for inclusion in the tree. |
| 53 |
> That differs from the 20 or so overlays maintained by users how? |
| 54 |
|
| 55 |
Let's see. They aren't on Gentoo infrastructure, which means they don't |
| 56 |
give off any immediate assumption of being "official" or "supported" in |
| 57 |
any way. Hell, go back and look at Peter's response about how he would |
| 58 |
use an overlay such as this only *because* it is on Gentoo |
| 59 |
infrastructure. |
| 60 |
|
| 61 |
So what exactly was your counter-point again? |
| 62 |
|
| 63 |
> Honestly I'd prefer an overlay where I can marginally trust the content |
| 64 |
> over a "foreign" repository maintained by people I don't know. |
| 65 |
|
| 66 |
Having an overlay such as this will tarnish Gentoo's reputation. We |
| 67 |
should not be providing *anything* that is only half-supported or |
| 68 |
half-tested. Anything less than being sully supported via the security |
| 69 |
team and QA is a failure on the part of Gentoo. We have enough *crap* |
| 70 |
in the *tree* that is unsupported, which makes us look bad, yet you want |
| 71 |
to insist on supporting a project that affects all of the ebuild |
| 72 |
developers, which you have not mentioned is a group which you are not a |
| 73 |
part of, so can gladly speak of increasing their workload with no |
| 74 |
consequences to yourself, and provides an avenue for low-quality or |
| 75 |
possibly malicious ebuilds to be distributed to our users, all under a |
| 76 |
Gentoo banner? |
| 77 |
|
| 78 |
I seriously question your motives towards the Gentoo project. |
| 79 |
|
| 80 |
> Hmmm ... bugzilla. |
| 81 |
> Instead of a simple cvs up; cd /usr/local/portage/category/package I |
| 82 |
> need to search for ALL bugs with $name in it, look which one it is, |
| 83 |
> curse bugzilla for falling asleep again, see which attachments are |
| 84 |
> relevant, download them, curse bugzilla for falling asleep again, copy |
| 85 |
> them to my overlay, read the bugcomments to see if any special renaming |
| 86 |
> or directory structure is needed ... |
| 87 |
> |
| 88 |
> Hmmm. I think an overlay does have some advantages there ... |
| 89 |
|
| 90 |
Sure. Until I sneak in some obfuscated code as a "fix" to a "bug" and |
| 91 |
it gets executed on your machine because the actual *developers* that |
| 92 |
are used to maintaining this stuff and know what to look for aren't a |
| 93 |
part of the process. |
| 94 |
|
| 95 |
Making something easier does not make it better. I'm sorry, but you've |
| 96 |
yet to convince me on how your laziness is supposed to be an improvement |
| 97 |
for the development process of Gentoo. |
| 98 |
|
| 99 |
> > Again, read what I wrote. I said that the developer would see "sunrise" |
| 100 |
> > in the PORTDIR_OVERLAY of the user's emerge --info, which you reiterated |
| 101 |
> > without considering. This is a login bug. At no point did they make |
| 102 |
> > mention of having installed pam_skey from this overlay. This means that |
| 103 |
> > I, as the developer getting this bug, am now responsible for looking at |
| 104 |
> > *every package* in the sunrise overlay to determine if *any* of them |
| 105 |
> > could *possibly* be affecting this package or causing this bug, then |
| 106 |
> > asking the user if they have any of them installed. |
| 107 |
> This differs from a manually patched ebuild in /usr/portage by virtue of showing you that an overlay is used ... |
| 108 |
|
| 109 |
Wow. Another one of those "I can't answer your issue, so I'll just try |
| 110 |
to divert your attention somewhere else" answers. Thanks for absolutely |
| 111 |
nothing but contributing noise. |
| 112 |
|
| 113 |
> > Wouldn't this process be *infinitely* easier if instead of "sunrise" |
| 114 |
> > there was a "pam" overlay with *only* the pam stuff? |
| 115 |
> Ooooh, cool. Now I need about 75 overlays to get things done, and of course there will be no bad interaction between them ;-) |
| 116 |
|
| 117 |
As opposed to the free for all that is this overlay? |
| 118 |
|
| 119 |
> Having one overlay with a focus on not-in-portage ebuilds should not |
| 120 |
> cause the scenario you described and will most likely cause less weird |
| 121 |
> bugs because of intra-overlay dependencies. |
| 122 |
|
| 123 |
What evidence do you have of this? |
| 124 |
|
| 125 |
> </opinion> |
| 126 |
|
| 127 |
Oh, right. None. |
| 128 |
|
| 129 |
> > That is *exactly* what we get with the other overlays like php and |
| 130 |
> > vmware. I *know* that if I'm looking at a glibc bug and the user has |
| 131 |
> > "php" as an overlay, that it isn't going to be a concern. |
| 132 |
> ... and if we control the overlay we can exclude things like system |
| 133 |
> packages easily. |
| 134 |
|
| 135 |
You really do a good job of making attempts to skirt the issues. Do me |
| 136 |
a favor, if you're just going to use vague references and try to avoid |
| 137 |
answering the issues at hand, don't bother wasting everyone's time by |
| 138 |
replying. You're more than welcome to provide some *useful* insight, |
| 139 |
but simply stating that something won't be an issue doesn't make it |
| 140 |
true. |
| 141 |
|
| 142 |
> Could be part of the policy to not touch existing ebuilds. |
| 143 |
|
| 144 |
Actually, it already is, according to jokey. |
| 145 |
|
| 146 |
> > This is a prime example of totally glossing over any discussion to make |
| 147 |
> > it sound promising for you. |
| 148 |
> If bugzilla wasn't so sucky people wouldn't try to use other methods of |
| 149 |
> communication ;-) |
| 150 |
|
| 151 |
Except this isn't another form of communication, nor is it being |
| 152 |
presented as one. Do you even bother to notice what you're writing? |
| 153 |
How exactly is a bunch of ebuilds in an overlay a "method of |
| 154 |
communication"? |
| 155 |
|
| 156 |
> And again, one svn repo vs. 113 hard-to-find bugs ... |
| 157 |
|
| 158 |
Amazing how you pull such numbers out of thin air. Which 113 bugs are |
| 159 |
you talking about, exactly? |
| 160 |
|
| 161 |
> > Even better, if I am the proxy |
| 162 |
> > maintainer for a particular set of ebuilds for one or more |
| 163 |
> > user/maintainers, why do I need it in your big, bloated, and completely |
| 164 |
> > inappropriately-named "sunshine" overlay versus a developer overlay of |
| 165 |
> > my own? |
| 166 |
> You don't. Please use your developer overlay. Please don't try to take |
| 167 |
> away our more open overlay. |
| 168 |
|
| 169 |
Unfortunately, your request for my dropping of this issue will not be |
| 170 |
honoured. This overlay is a bad idea, that is being poorly executed, |
| 171 |
and is being *forced* on the developer community at large with |
| 172 |
absolutely no for-warning or planning. It really is a shame that we |
| 173 |
don't have any policies that allow for action to be taken against people |
| 174 |
who either knowingly, or through actions of ignorance, cause massive |
| 175 |
damage to Gentoo such as this. |
| 176 |
|
| 177 |
> > After all, I am the *only* proxy maintainer. Why should there |
| 178 |
> > be the added *insecurity* of allowing any number of people that *I* |
| 179 |
> > might not trust complete access to the small number of packages where I |
| 180 |
> > am the proxy? |
| 181 |
> It's your choice. Either you get mailbombed with each minor version update or you trust them to not screw up with the sunrise overlay. |
| 182 |
|
| 183 |
Isn't that what the process of becoming a developer is supposed to |
| 184 |
build? Also, just because I trust one person, doesn't mean I trust |
| 185 |
someone that you trust. Trust is not implicit, it is earned. Some |
| 186 |
random user having complete access to an area where only people that *I* |
| 187 |
trust should really have access is not instilling faith in me of this |
| 188 |
project. However, instead of answering these concerns, you simply brush |
| 189 |
them aside as a non-issue, though I am not the only developer that has |
| 190 |
spoken out on this *exact* same issue. |
| 191 |
|
| 192 |
> And the users could just create their own overlay, get it added to |
| 193 |
> layman and we'd have the same without supervision. From where I'm |
| 194 |
> standing it's better to have the possibility to nuke a bad ebuild in the |
| 195 |
> overlay instead of asking some random user to change this in that |
| 196 |
> overlay because of $problem. |
| 197 |
|
| 198 |
Why exactly are we supporting these overlays via layman anyway? That |
| 199 |
implies a level of trust and support that you admit we do not have. I |
| 200 |
guess I should touch on that subject next, but that doesn't belong in |
| 201 |
this discussion. |
| 202 |
|
| 203 |
> Maybe we even find some motivated new ebuild monkeys that have the |
| 204 |
> motivation to become devs ... one can always hope :-) |
| 205 |
|
| 206 |
...and maybe we get owned and people quit using Gentoo because a few |
| 207 |
developers decided to go against the advice of other developers and |
| 208 |
allowed for an easy-access, easily-exploitable way for some malicious |
| 209 |
user to own countless Gentoo boxes, and nobody did anything to stop it. |
| 210 |
|
| 211 |
Well, I am going to do everything within my power to stop it. I will |
| 212 |
not back down until this project is dead. It really is that simple. |
| 213 |
|
| 214 |
-- |
| 215 |
Chris Gianelloni |
| 216 |
Release Engineering - Strategic Lead |
| 217 |
x86 Architecture Team |
| 218 |
Games - Developer |
| 219 |
Gentoo Linux |
Archives