| 1 |
First let me state this one really important thing: |
| 2 |
|
| 3 |
The sunrise project is a project on its own. We're about to convert it |
| 4 |
to a TLP to make clear that it shares nothing with the overlay project |
| 5 |
except the hardware ressources and the overlay feature of portage. |
| 6 |
|
| 7 |
Chris Gianelloni wrote: |
| 8 |
> On Thu, 2006-06-08 at 20:58 +0200, Markus Ullmann wrote: |
| 9 |
>> To clarify things a bit (hopefully): |
| 10 |
>> |
| 11 |
>> 1) security |
| 12 |
>> |
| 13 |
> I know that when I spoke of security, I was not only talking about the |
| 14 |
> security of letting non-developers commit to an overlay that is, by |
| 15 |
> design, for end users, but also of the implications of ensuring that any |
| 16 |
> packages in these overlays are not vulnerable to exploits. |
| 17 |
|
| 18 |
You're right here, there is a chance that your system gets vulnerable. |
| 19 |
But this isn't limited to this one overlay. All overlays are affected here. |
| 20 |
|
| 21 |
>> 2) responsibility |
| 22 |
>> |
| 23 |
>> As already mentioned at 1), it is an overlay. The devs on sunrise do |
| 24 |
>> keep an eye on it and all ebuilds do have to pass at least repoman and |
| 25 |
>> some basic QA checks (currently done when porting them from bugs.g.o) so |
| 26 |
>> that they don't do some rm -rf / thing. They should be improved by the |
| 27 |
>> contributors then so that we have two things here: a) a contributor who |
| 28 |
>> can contribute good-quality ebuils and b) a good ebuild to be picked up |
| 29 |
>> by a dev and ported to the tree |
| 30 |
> |
| 31 |
> The problem is that you are only checking on the initial commit. Go |
| 32 |
> back to point #1 (security). |
| 33 |
|
| 34 |
You just assume this, no real reason/example for it. |
| 35 |
|
| 36 |
> Again, the entire concept of overlays.gentoo.org was stated again and |
| 37 |
> again that this would *not* be the result of the project. Many of the |
| 38 |
> maintainer-wanted ebuilds are quite good, many need to be completely |
| 39 |
> rewritten to even work properly. |
| 40 |
|
| 41 |
First let me say this. We don't blindly commit things here nor do we |
| 42 |
commit everything from m-w bugs. There is this interface inbetween |
| 43 |
called human intelligence. |
| 44 |
|
| 45 |
So I can convince you that I do look at things that are committed. |
| 46 |
|
| 47 |
> This also completely missing the point that most of the things in |
| 48 |
> maintainer-wanted are there because there is not a developer interested |
| 49 |
> in them. How will this change by moving the ebuild into an overlay, I |
| 50 |
> have yet to hear. |
| 51 |
|
| 52 |
Well if you can look / test a bit easier, that helps a lot... Some |
| 53 |
(won't exclude myself here) are just a bit lazy if they see a bunch of |
| 54 |
things to download, rename and move instead of a single checkout command ;) |
| 55 |
|
| 56 |
>> 3) replacement for bugs.g.o |
| 57 |
>> |
| 58 |
>> This project isn't a try to replace the contributions to bugs. It should |
| 59 |
>> just help to fetch and update things. We have help from bug-wranglers |
| 60 |
>> here (well, at least from jakub) to keep the overlay in sync with it so |
| 61 |
>> that one can say "Yeah, my-example/myapp r158 has this and this issue, |
| 62 |
>> here is a fix for it" and then either the sunrise-devs or one of the |
| 63 |
>> project-contributors commits it to the overlay. |
| 64 |
> |
| 65 |
> Honestly, having to break out a subversion client to check a fix |
| 66 |
> immediately sounds like extra work. It is usually much easier to simply |
| 67 |
> look at the attachment online and make a decision immediately. |
| 68 |
|
| 69 |
You don't need a subversion client, you perhaps notice the http in front |
| 70 |
of the url.. just open it up in your browser and you get the source |
| 71 |
immediately. |
| 72 |
Or, if you want some history like sources.g.o, you can do so as well here: |
| 73 |
http://overlays.gentoo.org/proj/sunrise/browser/ |
| 74 |
|
| 75 |
>> 4) workload on devs |
| 76 |
>> |
| 77 |
>> Well I really have problems to see increased workload on devs here who |
| 78 |
>> don't actively support the project. They can scour bugzie for |
| 79 |
>> interesting ebuilds and instead of fetching files, renaming them, moving |
| 80 |
>> them to a local overlay dir, just do a svn co |
| 81 |
>> http://overlays.gentoo.org/svn/proj/sunrise/sys-auth/pam_skey/ (as an |
| 82 |
>> example here) and you have all needed files already prepared to look at |
| 83 |
>> them or to give them a try. |
| 84 |
> |
| 85 |
> Except that I can *look* at an ebuild without having to break out a |
| 86 |
> subversion client currently. |
| 87 |
See my answer in 3) |
| 88 |
|
| 89 |
Also, you completely gloss over the fact |
| 90 |
> that this is a overlay designed for end-user usage. This means that |
| 91 |
> anything in this overlay is *very* likely to be on user's machines and |
| 92 |
> cause any number of possible problems. Let's use your pam_skey as an |
| 93 |
> example. Now, let's say that someone has this installed, and has |
| 94 |
> configured it improperly. They file a bug because they are unable to |
| 95 |
> login, and the pam maintainers receive the bug. |
| 96 |
> How exactly are they |
| 97 |
> supposed to know that this user has pam_skey even *available* to them |
| 98 |
> when all they see as an overlay is "sunrise" and not the |
| 99 |
> project-specific overlays that overlays.gentoo.org was designed for? |
| 100 |
|
| 101 |
Well as the ebuilds in there already have open bugs, comments can be |
| 102 |
attached there. |
| 103 |
Secondly, the portage team already integrates a patch to show you a |
| 104 |
bright warning in the error that you use an overlay... also, if you take |
| 105 |
a look at the PORTDIR_OVERLAY in emerge --info, you can get really fast |
| 106 |
that in case you don't find the ebuild in tree that it doesn't belong |
| 107 |
there. (We even get bugs originating at other overlay's ebuils...) |
| 108 |
|
| 109 |
|
| 110 |
> All of the time wasted to determine that the user has done something |
| 111 |
> unsupported to break their system is time that this developer could be |
| 112 |
> working on a problem with a package that is actually in the portage |
| 113 |
> tree, which is our primary product. |
| 114 |
|
| 115 |
bug wranglers already do this job currently... |
| 116 |
|
| 117 |
> |
| 118 |
>> 5) the tarball problem |
| 119 |
>> |
| 120 |
>> On some bugs we also notice that people contribute tarballs instead of |
| 121 |
>> ebuilds and the files as such. |
| 122 |
>> Some apps need a change on a bunch of files with every version bump. |
| 123 |
>> Take MailScanner as an example ( |
| 124 |
>> http://bugs.gentoo.org/show_bug.cgi?id=36060 ). Many devs cry out loud |
| 125 |
>> when they come across a tarball on bugzie. It is not the best way of |
| 126 |
>> contribution, I know that myself. But take it the otherway around. |
| 127 |
>> Someone out there took time (on some apps it is really much time) and |
| 128 |
>> provided an ebuild. Maybe he is new to it and doesn't know much about |
| 129 |
>> bugzie (no usability talk required here, done every 3 months on bugzie |
| 130 |
>> devel ml) then they post their hard work there. Then a dev comes along |
| 131 |
>> and says "never ever do attach tarballs blah blubb", the contributor |
| 132 |
>> feels scared as it was his first contribution and the dev was crying out |
| 133 |
>> loud and would surely think twice if the work done is worth it. |
| 134 |
> |
| 135 |
> An overlay will have exactly 0 impact on this. You have already stated |
| 136 |
> that the ebuilds will come from bugzilla. That means that a user can |
| 137 |
> still post a tarball and can still have a developer request that he not |
| 138 |
> post a tarball again. This is a non-issue in this conversation. |
| 139 |
|
| 140 |
Well it is partly, as the dev isn't needed to clarify things here. If we |
| 141 |
come across something like this, we'll work these things out.. i.e. |
| 142 |
offer to send us the tarball to commit or (if the user has proven |
| 143 |
himself trustworthy to the project admins) give him commit access to |
| 144 |
fire things up himself. |
| 145 |
|
| 146 |
>> 6) problems on infra hardware |
| 147 |
>> |
| 148 |
>> Well Lance arised that, so if infra has that big concerns about this |
| 149 |
>> project (I personally see no hard reason for it, but let the infra guys |
| 150 |
>> handle it how they want), then feel free to drop me a note and we host |
| 151 |
>> it elsewhere. I really see a great chance for contributors here as they |
| 152 |
>> can improve themselves here and if they contribute good quality, even |
| 153 |
>> commit themselves and learn how to handle maintainership. You all know |
| 154 |
>> we also have some people out there that would like to maintain just one |
| 155 |
>> or two packages. Now we call it proxy maintainership but why not giving |
| 156 |
>> them commit access to sunrise then? They can maintain it here without |
| 157 |
>> the whole workload as dev, but maybe they get encouraged by doing so and |
| 158 |
>> then become a dev later. Lots of options are possible here. |
| 159 |
> |
| 160 |
> You miss something. Things in this overlay still don't make it into the |
| 161 |
> official tree unless a maintainer picks it up. Taking an ebuild from |
| 162 |
> bugzilla and being responsible for it and taking an ebuild from an |
| 163 |
> overlay and being responsible for it have the exact same cost on |
| 164 |
> developer resources. Someone *still* has to maintain it. |
| 165 |
|
| 166 |
Yup, but the proxy maintainerships are much easier to track as they're |
| 167 |
done on one central place... |
| 168 |
|
| 169 |
Greetz, |
| 170 |
Jokey |
Archives