1 |
AllenJB wrote: |
2 |
> |
3 |
> All that's going to happen is Gentoo will have many many buggy and out |
4 |
> of date packages in the MAIN TREE. Exactly where they shouldn't be. You |
5 |
> claim quality won't be sacrificed, but I simply can't see this without |
6 |
> any attempt to solve the manpower issues first. |
7 |
> |
8 |
> Isn't the purpose of this project already somewhat covered by Sunrise? |
9 |
|
10 |
I have to agree with your points. We need to have quality standards for |
11 |
packages. Currently we have a couple of tiers: |
12 |
|
13 |
1. Main tree - every ebuild has an official maintainer and gets prompt |
14 |
security updates/etc. New features might get a little more stale, but |
15 |
you aren't going to be running at risk if you only use the main tree and |
16 |
routinely emerge -u world. If a package falls behind on security it |
17 |
gets masked and booted. |
18 |
|
19 |
2. Overlays - you're on your own and at the general mercy of the |
20 |
overlay maintainer. |
21 |
|
22 |
3. Sunrise (just a special case of an overlay) - somewhere in-between. |
23 |
Again, you have to opt-in. |
24 |
|
25 |
I think that we still need to have defined levels of quality, so if we |
26 |
start putting unmaintained stuff in the main tree then we absolutely |
27 |
need to preserve a mechanism for users to indicate what level of quality |
28 |
they desire. Users running a typical install shouldn't inadvertently |
29 |
have dependencies pulled in which aren't fully controlled for security |
30 |
issues. |
31 |
|
32 |
Could something like sunrise be integrated into the main tree? Sure. |
33 |
However, there would need to be lots of rules and QA checks like |
34 |
non-sunrise packages not depending on sunrise packages and the sunrise |
35 |
packages are somehow clearly marked. Maybe even an ACCEPT_QUALITY = |
36 |
"good-luck-with-that" setting or something like that in make.conf. We |
37 |
might also need tiered levels of security in cvs. I'm not convinced |
38 |
that in the end it will be any better than just having those who are |
39 |
interested add an overlay to their tree. |
40 |
|
41 |
Maybe a better option would be a way to make overlays more seamless. |
42 |
Additionally we could have rating categories for overlays like "security |
43 |
responsiveness," "currency with upstream," etc. The gentoo project |
44 |
would ask overlays to declare their policies as a condition of being |
45 |
accessible via the seamless interface, and would drop overlays if they |
46 |
don't follow their policies. It would still be easy for users to pick |
47 |
non-standard overlays but it would be clear that they are venturing off |
48 |
on their own if they do this (just as is the case with layman today). |
49 |
|
50 |
Sure, I'd love to see an extra 1000 supported packages in portage, but |
51 |
the key is "supported", not just shoveled-in. |