| 1 |
On Tue, Jan 06, 2004 at 12:39:29AM -0800 or thereabouts, Robert Cole wrote: |
| 2 |
> I like it. That's a very good process. I'm talking about ebuilds here. I'll be |
| 3 |
> honest and say I don't know how the backend of the portage tree works with |
| 4 |
> security and all but maybe another tier would be in order if possible. Like a |
| 5 |
> low access new ebuild access that gets queued and not actually put in the |
| 6 |
> tree and someone with access could simply flag it to move into the tree or |
| 7 |
> reject it sending an email back to the creator of the ebuild why. |
| 8 |
|
| 9 |
You've just described bugs.gentoo.org. |
| 10 |
|
| 11 |
Granted, plenty of ebuilds sit in there and never make it into the tree. |
| 12 |
This is not the fault of bugzilla, however. It is more a problem with our |
| 13 |
process. Ebuilds make it into the tree when a developer cares about them. |
| 14 |
If no developer cares about them, they tend not to make it into the tree. |
| 15 |
For right or wrong, that's how things work today. |
| 16 |
|
| 17 |
I could see benefits to having a dedicated person, who was extremley |
| 18 |
knowledgeable in the ins/outs of ebuild creation who did nothing else |
| 19 |
except scan bugs.gentoo.org for new ebuilds and put them into the tree. |
| 20 |
Whether there's a person out there with the right skill set willing to do |
| 21 |
such a job is another question entirely. (not saying there isn't, btw) |
| 22 |
|
| 23 |
> > You would be cautious too if there were an estimated quarter of a |
| 24 |
> > million systems at stake. |
| 25 |
> |
| 26 |
> Those systems aren't yours or any other gentoo devs responsibility. I think if |
| 27 |
> most gentoo users/admins would really really think about it they know the |
| 28 |
> risks they took when they started using gentoo. It's bleeding edge using |
| 29 |
> ACCEPT_KEYWORDS or not. I understand, and if every gentoo user would really |
| 30 |
> be honest with themselves, that my system could go POOF on the next world |
| 31 |
> update. I know mine has a few times in the earlier days of gentoo. That's |
| 32 |
> life on the bleeding edge. |
| 33 |
|
| 34 |
I believe Jon was talking more about the security side of the house. Each |
| 35 |
developer we give CVS access to is one more developer that can commit a |
| 36 |
trojaned ebuild or do something else nasty. Thus, we try to be somewhat |
| 37 |
careful about handing the keys to the kingdom over to new folks. |
| 38 |
|
| 39 |
--kurt |
Archives