1 |
I personally think this is a bad idea. I can understand and support |
2 |
links to different overlay repositories, however I do not think that |
3 |
gentoo should host or support overlays on its own infrastructure. For |
4 |
one thing supporting overlays on our infrastructure looks like we are |
5 |
supporting broken ebuilds. This will also lead to more confusion with |
6 |
users who find these official overlays and then the overlays conflict |
7 |
with each other and cause problems that leads to comments like well |
8 |
gentoo should just know how to fix it and make it all work. I also |
9 |
think that this overlay structure will not provide incentives for people |
10 |
to commit to the main tree. They will get their ebuild in an overlay |
11 |
and its hosted on gentoo and distributed to the mirrors. At that point |
12 |
its easy for them to continue to use the overlay. Over time the overlay |
13 |
will diverge more and more from other overlays and even the main tree. |
14 |
|
15 |
If this still goes forward I think we should look at the debian layout |
16 |
where there is the core product and then the security branches etc. |
17 |
|
18 |
Personally I think this is going to cause more bug reports and less |
19 |
updates to the main tree. |
20 |
|
21 |
I also agree that a hostile fork is unlikely, however it is more |
22 |
possible with the overlay layout as anyone can get an ebuild mirrored on |
23 |
our infrastructure at this point. |
24 |
|
25 |
Another thing to concider is how would people be able to contribute to |
26 |
the overlays? Is there a review process? Is there a checkin process? |
27 |
If no then anyone can post a malicious ebuild that would be a security |
28 |
nightmare. I think this security viewpoint alone is enough to |
29 |
re-evaluate this plan of action. |
30 |
|
31 |
Eric |
32 |
|
33 |
On 14:41 Thu 23 Mar , Stuart Herbert wrote: |
34 |
> Hi Chris, |
35 |
> |
36 |
> On 3/23/06, Chris Gianelloni <wolf31o2@g.o> wrote: |
37 |
> > If some random developer goes out there and creates his own fork of |
38 |
> > catalyst in his overlay, I sure don't want to receive a *single* bug on |
39 |
> > it. Ever. |
40 |
> |
41 |
> Your nightmare scenario seems unavoidable. Enabling per-overlay bug |
42 |
> tracking doesn't stop users posting bugs in bugzilla. It just causes |
43 |
> confusion for users, because they're not sure where to go. Normally, |
44 |
> it's not a problem - because the overlay contributors are normally the |
45 |
> owners of the real package. |
46 |
> |
47 |
> A hostile fork of Catalyst is very much a special case. |
48 |
> |
49 |
> What we could do is say that overlays are for package trees only; ie |
50 |
> they are not general-purpose repositories for holding source trees. |
51 |
> That would ensure that your nightmare scenario is even less likely to |
52 |
> happen, and that if it does, it's through no fault of the overlays |
53 |
> project :) |
54 |
> |
55 |
> Best regards, |
56 |
> Stu |
57 |
> |
58 |
> -- |
59 |
> gentoo-dev@g.o mailing list |
60 |
> |
61 |
> |