| 1 |
Aaron W. Swenson: |
| 2 |
> |
| 3 |
> This is what's been driving me batty. None of you verified my identity |
| 4 |
> before letting me be an official Gentoo Developer. Yet I have access to |
| 5 |
> the repo. All I had to do was complete the quizzes. |
| 6 |
> |
| 7 |
|
| 8 |
The only way to improve security in the sense of random collaborators is |
| 9 |
to not grant them push access in the first place. This is almost going |
| 10 |
offtopic since it still doesn't solve the attack vector this topic was |
| 11 |
initially about. But our project model is definitely not up to date anymore. |
| 12 |
|
| 13 |
Let me quote Bryan Østergaard in this context [0]: |
| 14 |
|
| 15 |
> Other source based distributions follows a fairly closed development model that relies on a particular group of developers doing most, if not all the work and a somewhat complex organisation model that's supposed to help solve internal problems. The most common solution when technical problems (such as packages not getting timely updates) occurs is to add more developers to the organisation. Unfortunately this also tends to amplify any organisational problems. |
| 16 |
|
| 17 |
Not just organisational problems, but also trust problems and QA |
| 18 |
problems on top of that. If we want to improve this, we have to think |
| 19 |
again and start a real review-based development model. This will mean |
| 20 |
changing the whole gentoo project structure and use the benefits of git |
| 21 |
to do it right. Anyone up for that? I guess not. You'd have to write up |
| 22 |
10+ GLEPs to even try it, lol. |
| 23 |
|
| 24 |
|
| 25 |
-- |
| 26 |
[0] https://archive.fosdem.org/2009/interview/bryan+ostergaard |
Archives