| 1 |
I personally think this is a bad idea. I can understand and support |
| 2 |
links to different overlay repositories, however I do not think that |
| 3 |
gentoo should host or support overlays on its own infrastructure. For |
| 4 |
one thing supporting overlays on our infrastructure looks like we are |
| 5 |
supporting broken ebuilds. This will also lead to more confusion with |
| 6 |
users who find these official overlays and then the overlays conflict |
| 7 |
with each other and cause problems that leads to comments like well |
| 8 |
gentoo should just know how to fix it and make it all work. I also |
| 9 |
think that this overlay structure will not provide incentives for people |
| 10 |
to commit to the main tree. They will get their ebuild in an overlay |
| 11 |
and its hosted on gentoo and distributed to the mirrors. At that point |
| 12 |
its easy for them to continue to use the overlay. Over time the overlay |
| 13 |
will diverge more and more from other overlays and even the main tree. |
| 14 |
|
| 15 |
If this still goes forward I think we should look at the debian layout |
| 16 |
where there is the core product and then the security branches etc. |
| 17 |
|
| 18 |
Personally I think this is going to cause more bug reports and less |
| 19 |
updates to the main tree. |
| 20 |
|
| 21 |
I also agree that a hostile fork is unlikely, however it is more |
| 22 |
possible with the overlay layout as anyone can get an ebuild mirrored on |
| 23 |
our infrastructure at this point. |
| 24 |
|
| 25 |
Another thing to concider is how would people be able to contribute to |
| 26 |
the overlays? Is there a review process? Is there a checkin process? |
| 27 |
If no then anyone can post a malicious ebuild that would be a security |
| 28 |
nightmare. I think this security viewpoint alone is enough to |
| 29 |
re-evaluate this plan of action. |
| 30 |
|
| 31 |
Eric |
| 32 |
|
| 33 |
On 14:41 Thu 23 Mar , Stuart Herbert wrote: |
| 34 |
> Hi Chris, |
| 35 |
> |
| 36 |
> On 3/23/06, Chris Gianelloni <wolf31o2@g.o> wrote: |
| 37 |
> > If some random developer goes out there and creates his own fork of |
| 38 |
> > catalyst in his overlay, I sure don't want to receive a *single* bug on |
| 39 |
> > it. Ever. |
| 40 |
> |
| 41 |
> Your nightmare scenario seems unavoidable. Enabling per-overlay bug |
| 42 |
> tracking doesn't stop users posting bugs in bugzilla. It just causes |
| 43 |
> confusion for users, because they're not sure where to go. Normally, |
| 44 |
> it's not a problem - because the overlay contributors are normally the |
| 45 |
> owners of the real package. |
| 46 |
> |
| 47 |
> A hostile fork of Catalyst is very much a special case. |
| 48 |
> |
| 49 |
> What we could do is say that overlays are for package trees only; ie |
| 50 |
> they are not general-purpose repositories for holding source trees. |
| 51 |
> That would ensure that your nightmare scenario is even less likely to |
| 52 |
> happen, and that if it does, it's through no fault of the overlays |
| 53 |
> project :) |
| 54 |
> |
| 55 |
> Best regards, |
| 56 |
> Stu |
| 57 |
> |
| 58 |
> -- |
| 59 |
> gentoo-dev@g.o mailing list |
| 60 |
> |
| 61 |
> |
Archives