| 1 |
AllenJB wrote: |
| 2 |
> |
| 3 |
> All that's going to happen is Gentoo will have many many buggy and out |
| 4 |
> of date packages in the MAIN TREE. Exactly where they shouldn't be. You |
| 5 |
> claim quality won't be sacrificed, but I simply can't see this without |
| 6 |
> any attempt to solve the manpower issues first. |
| 7 |
> |
| 8 |
> Isn't the purpose of this project already somewhat covered by Sunrise? |
| 9 |
|
| 10 |
I have to agree with your points. We need to have quality standards for |
| 11 |
packages. Currently we have a couple of tiers: |
| 12 |
|
| 13 |
1. Main tree - every ebuild has an official maintainer and gets prompt |
| 14 |
security updates/etc. New features might get a little more stale, but |
| 15 |
you aren't going to be running at risk if you only use the main tree and |
| 16 |
routinely emerge -u world. If a package falls behind on security it |
| 17 |
gets masked and booted. |
| 18 |
|
| 19 |
2. Overlays - you're on your own and at the general mercy of the |
| 20 |
overlay maintainer. |
| 21 |
|
| 22 |
3. Sunrise (just a special case of an overlay) - somewhere in-between. |
| 23 |
Again, you have to opt-in. |
| 24 |
|
| 25 |
I think that we still need to have defined levels of quality, so if we |
| 26 |
start putting unmaintained stuff in the main tree then we absolutely |
| 27 |
need to preserve a mechanism for users to indicate what level of quality |
| 28 |
they desire. Users running a typical install shouldn't inadvertently |
| 29 |
have dependencies pulled in which aren't fully controlled for security |
| 30 |
issues. |
| 31 |
|
| 32 |
Could something like sunrise be integrated into the main tree? Sure. |
| 33 |
However, there would need to be lots of rules and QA checks like |
| 34 |
non-sunrise packages not depending on sunrise packages and the sunrise |
| 35 |
packages are somehow clearly marked. Maybe even an ACCEPT_QUALITY = |
| 36 |
"good-luck-with-that" setting or something like that in make.conf. We |
| 37 |
might also need tiered levels of security in cvs. I'm not convinced |
| 38 |
that in the end it will be any better than just having those who are |
| 39 |
interested add an overlay to their tree. |
| 40 |
|
| 41 |
Maybe a better option would be a way to make overlays more seamless. |
| 42 |
Additionally we could have rating categories for overlays like "security |
| 43 |
responsiveness," "currency with upstream," etc. The gentoo project |
| 44 |
would ask overlays to declare their policies as a condition of being |
| 45 |
accessible via the seamless interface, and would drop overlays if they |
| 46 |
don't follow their policies. It would still be easy for users to pick |
| 47 |
non-standard overlays but it would be clear that they are venturing off |
| 48 |
on their own if they do this (just as is the case with layman today). |
| 49 |
|
| 50 |
Sure, I'd love to see an extra 1000 supported packages in portage, but |
| 51 |
the key is "supported", not just shoveled-in. |
Archives