1 |
First let me state this one really important thing: |
2 |
|
3 |
The sunrise project is a project on its own. We're about to convert it |
4 |
to a TLP to make clear that it shares nothing with the overlay project |
5 |
except the hardware ressources and the overlay feature of portage. |
6 |
|
7 |
Chris Gianelloni wrote: |
8 |
> On Thu, 2006-06-08 at 20:58 +0200, Markus Ullmann wrote: |
9 |
>> To clarify things a bit (hopefully): |
10 |
>> |
11 |
>> 1) security |
12 |
>> |
13 |
> I know that when I spoke of security, I was not only talking about the |
14 |
> security of letting non-developers commit to an overlay that is, by |
15 |
> design, for end users, but also of the implications of ensuring that any |
16 |
> packages in these overlays are not vulnerable to exploits. |
17 |
|
18 |
You're right here, there is a chance that your system gets vulnerable. |
19 |
But this isn't limited to this one overlay. All overlays are affected here. |
20 |
|
21 |
>> 2) responsibility |
22 |
>> |
23 |
>> As already mentioned at 1), it is an overlay. The devs on sunrise do |
24 |
>> keep an eye on it and all ebuilds do have to pass at least repoman and |
25 |
>> some basic QA checks (currently done when porting them from bugs.g.o) so |
26 |
>> that they don't do some rm -rf / thing. They should be improved by the |
27 |
>> contributors then so that we have two things here: a) a contributor who |
28 |
>> can contribute good-quality ebuils and b) a good ebuild to be picked up |
29 |
>> by a dev and ported to the tree |
30 |
> |
31 |
> The problem is that you are only checking on the initial commit. Go |
32 |
> back to point #1 (security). |
33 |
|
34 |
You just assume this, no real reason/example for it. |
35 |
|
36 |
> Again, the entire concept of overlays.gentoo.org was stated again and |
37 |
> again that this would *not* be the result of the project. Many of the |
38 |
> maintainer-wanted ebuilds are quite good, many need to be completely |
39 |
> rewritten to even work properly. |
40 |
|
41 |
First let me say this. We don't blindly commit things here nor do we |
42 |
commit everything from m-w bugs. There is this interface inbetween |
43 |
called human intelligence. |
44 |
|
45 |
So I can convince you that I do look at things that are committed. |
46 |
|
47 |
> This also completely missing the point that most of the things in |
48 |
> maintainer-wanted are there because there is not a developer interested |
49 |
> in them. How will this change by moving the ebuild into an overlay, I |
50 |
> have yet to hear. |
51 |
|
52 |
Well if you can look / test a bit easier, that helps a lot... Some |
53 |
(won't exclude myself here) are just a bit lazy if they see a bunch of |
54 |
things to download, rename and move instead of a single checkout command ;) |
55 |
|
56 |
>> 3) replacement for bugs.g.o |
57 |
>> |
58 |
>> This project isn't a try to replace the contributions to bugs. It should |
59 |
>> just help to fetch and update things. We have help from bug-wranglers |
60 |
>> here (well, at least from jakub) to keep the overlay in sync with it so |
61 |
>> that one can say "Yeah, my-example/myapp r158 has this and this issue, |
62 |
>> here is a fix for it" and then either the sunrise-devs or one of the |
63 |
>> project-contributors commits it to the overlay. |
64 |
> |
65 |
> Honestly, having to break out a subversion client to check a fix |
66 |
> immediately sounds like extra work. It is usually much easier to simply |
67 |
> look at the attachment online and make a decision immediately. |
68 |
|
69 |
You don't need a subversion client, you perhaps notice the http in front |
70 |
of the url.. just open it up in your browser and you get the source |
71 |
immediately. |
72 |
Or, if you want some history like sources.g.o, you can do so as well here: |
73 |
http://overlays.gentoo.org/proj/sunrise/browser/ |
74 |
|
75 |
>> 4) workload on devs |
76 |
>> |
77 |
>> Well I really have problems to see increased workload on devs here who |
78 |
>> don't actively support the project. They can scour bugzie for |
79 |
>> interesting ebuilds and instead of fetching files, renaming them, moving |
80 |
>> them to a local overlay dir, just do a svn co |
81 |
>> http://overlays.gentoo.org/svn/proj/sunrise/sys-auth/pam_skey/ (as an |
82 |
>> example here) and you have all needed files already prepared to look at |
83 |
>> them or to give them a try. |
84 |
> |
85 |
> Except that I can *look* at an ebuild without having to break out a |
86 |
> subversion client currently. |
87 |
See my answer in 3) |
88 |
|
89 |
Also, you completely gloss over the fact |
90 |
> that this is a overlay designed for end-user usage. This means that |
91 |
> anything in this overlay is *very* likely to be on user's machines and |
92 |
> cause any number of possible problems. Let's use your pam_skey as an |
93 |
> example. Now, let's say that someone has this installed, and has |
94 |
> configured it improperly. They file a bug because they are unable to |
95 |
> login, and the pam maintainers receive the bug. |
96 |
> How exactly are they |
97 |
> supposed to know that this user has pam_skey even *available* to them |
98 |
> when all they see as an overlay is "sunrise" and not the |
99 |
> project-specific overlays that overlays.gentoo.org was designed for? |
100 |
|
101 |
Well as the ebuilds in there already have open bugs, comments can be |
102 |
attached there. |
103 |
Secondly, the portage team already integrates a patch to show you a |
104 |
bright warning in the error that you use an overlay... also, if you take |
105 |
a look at the PORTDIR_OVERLAY in emerge --info, you can get really fast |
106 |
that in case you don't find the ebuild in tree that it doesn't belong |
107 |
there. (We even get bugs originating at other overlay's ebuils...) |
108 |
|
109 |
|
110 |
> All of the time wasted to determine that the user has done something |
111 |
> unsupported to break their system is time that this developer could be |
112 |
> working on a problem with a package that is actually in the portage |
113 |
> tree, which is our primary product. |
114 |
|
115 |
bug wranglers already do this job currently... |
116 |
|
117 |
> |
118 |
>> 5) the tarball problem |
119 |
>> |
120 |
>> On some bugs we also notice that people contribute tarballs instead of |
121 |
>> ebuilds and the files as such. |
122 |
>> Some apps need a change on a bunch of files with every version bump. |
123 |
>> Take MailScanner as an example ( |
124 |
>> http://bugs.gentoo.org/show_bug.cgi?id=36060 ). Many devs cry out loud |
125 |
>> when they come across a tarball on bugzie. It is not the best way of |
126 |
>> contribution, I know that myself. But take it the otherway around. |
127 |
>> Someone out there took time (on some apps it is really much time) and |
128 |
>> provided an ebuild. Maybe he is new to it and doesn't know much about |
129 |
>> bugzie (no usability talk required here, done every 3 months on bugzie |
130 |
>> devel ml) then they post their hard work there. Then a dev comes along |
131 |
>> and says "never ever do attach tarballs blah blubb", the contributor |
132 |
>> feels scared as it was his first contribution and the dev was crying out |
133 |
>> loud and would surely think twice if the work done is worth it. |
134 |
> |
135 |
> An overlay will have exactly 0 impact on this. You have already stated |
136 |
> that the ebuilds will come from bugzilla. That means that a user can |
137 |
> still post a tarball and can still have a developer request that he not |
138 |
> post a tarball again. This is a non-issue in this conversation. |
139 |
|
140 |
Well it is partly, as the dev isn't needed to clarify things here. If we |
141 |
come across something like this, we'll work these things out.. i.e. |
142 |
offer to send us the tarball to commit or (if the user has proven |
143 |
himself trustworthy to the project admins) give him commit access to |
144 |
fire things up himself. |
145 |
|
146 |
>> 6) problems on infra hardware |
147 |
>> |
148 |
>> Well Lance arised that, so if infra has that big concerns about this |
149 |
>> project (I personally see no hard reason for it, but let the infra guys |
150 |
>> handle it how they want), then feel free to drop me a note and we host |
151 |
>> it elsewhere. I really see a great chance for contributors here as they |
152 |
>> can improve themselves here and if they contribute good quality, even |
153 |
>> commit themselves and learn how to handle maintainership. You all know |
154 |
>> we also have some people out there that would like to maintain just one |
155 |
>> or two packages. Now we call it proxy maintainership but why not giving |
156 |
>> them commit access to sunrise then? They can maintain it here without |
157 |
>> the whole workload as dev, but maybe they get encouraged by doing so and |
158 |
>> then become a dev later. Lots of options are possible here. |
159 |
> |
160 |
> You miss something. Things in this overlay still don't make it into the |
161 |
> official tree unless a maintainer picks it up. Taking an ebuild from |
162 |
> bugzilla and being responsible for it and taking an ebuild from an |
163 |
> overlay and being responsible for it have the exact same cost on |
164 |
> developer resources. Someone *still* has to maintain it. |
165 |
|
166 |
Yup, but the proxy maintainerships are much easier to track as they're |
167 |
done on one central place... |
168 |
|
169 |
Greetz, |
170 |
Jokey |