1 |
On Tue, Jan 06, 2004 at 12:39:29AM -0800 or thereabouts, Robert Cole wrote: |
2 |
> I like it. That's a very good process. I'm talking about ebuilds here. I'll be |
3 |
> honest and say I don't know how the backend of the portage tree works with |
4 |
> security and all but maybe another tier would be in order if possible. Like a |
5 |
> low access new ebuild access that gets queued and not actually put in the |
6 |
> tree and someone with access could simply flag it to move into the tree or |
7 |
> reject it sending an email back to the creator of the ebuild why. |
8 |
|
9 |
You've just described bugs.gentoo.org. |
10 |
|
11 |
Granted, plenty of ebuilds sit in there and never make it into the tree. |
12 |
This is not the fault of bugzilla, however. It is more a problem with our |
13 |
process. Ebuilds make it into the tree when a developer cares about them. |
14 |
If no developer cares about them, they tend not to make it into the tree. |
15 |
For right or wrong, that's how things work today. |
16 |
|
17 |
I could see benefits to having a dedicated person, who was extremley |
18 |
knowledgeable in the ins/outs of ebuild creation who did nothing else |
19 |
except scan bugs.gentoo.org for new ebuilds and put them into the tree. |
20 |
Whether there's a person out there with the right skill set willing to do |
21 |
such a job is another question entirely. (not saying there isn't, btw) |
22 |
|
23 |
> > You would be cautious too if there were an estimated quarter of a |
24 |
> > million systems at stake. |
25 |
> |
26 |
> Those systems aren't yours or any other gentoo devs responsibility. I think if |
27 |
> most gentoo users/admins would really really think about it they know the |
28 |
> risks they took when they started using gentoo. It's bleeding edge using |
29 |
> ACCEPT_KEYWORDS or not. I understand, and if every gentoo user would really |
30 |
> be honest with themselves, that my system could go POOF on the next world |
31 |
> update. I know mine has a few times in the earlier days of gentoo. That's |
32 |
> life on the bleeding edge. |
33 |
|
34 |
I believe Jon was talking more about the security side of the house. Each |
35 |
developer we give CVS access to is one more developer that can commit a |
36 |
trojaned ebuild or do something else nasty. Thus, we try to be somewhat |
37 |
careful about handing the keys to the kingdom over to new folks. |
38 |
|
39 |
--kurt |