1 |
On 08/10/04 Chris Gianelloni wrote: |
2 |
|
3 |
> I didn't think anything actually used overlays. The emerge glsa was |
4 |
> being designed to work like "emerge system" or "emerge world". It |
5 |
> would require a regular "emerge sync" step to work properly... at |
6 |
> least, that was my understanding. Forgive me if I'm wrong on that. |
7 |
|
8 |
Interesting to see people talking about things that aren't completely |
9 |
implemented yet ;) |
10 |
At the moment GLSAs reside in $PORTDIR/metadata/glsa and on |
11 |
http://www.gentoo.org/security/en/glsa, the current code (used by |
12 |
glsa-check) only looks at the former location. However I've written the |
13 |
code in a way so that the location can be changed in the same way as |
14 |
other portage variables (in make.* or on the commandline), so it's not a |
15 |
problem to change the location in the profile, however you'll have to |
16 |
find a way to get the GLSAs there. I originally also planned to |
17 |
implement a way to get the GLSAs directly over http, but that's more |
18 |
complicated than I thought first (and not very useful for our current |
19 |
tree anyway). |
20 |
|
21 |
> Personally, I think there should be as little change for the user as |
22 |
> possible. Breaking "emerge sync" is probably not the best way to go |
23 |
> about it. Causing "emerge sync" to perform a slightly different |
24 |
> function, though with the same results (getting new ebuilds) is |
25 |
> probably the way to go. While I doubt we would be using gensync |
26 |
> directly, it definitely gives us a strong starting point. I am going |
27 |
> to say that I wouldn't be opposed to using gensync and a separate |
28 |
> repository, I just think it ends up being overly complex, as if we're |
29 |
> going to be offering it as an "official" Gentoo release, we should add |
30 |
> proper support into the tools we already have (portage). Also, using |
31 |
> portage and emerge sync for updates allows a user to switch to the |
32 |
> "current" tree with almost no work. |
33 |
|
34 |
As for generating a frozen tree I understand that there are basically |
35 |
two options: a) use our current (changing) tree and only freeze the |
36 |
versions of packages in the profile or b) create a new tree that |
37 |
doesn't change at all (maybe even limited to only include supported |
38 |
packages/versions). The first is easier to implement but has IMO several |
39 |
problems: |
40 |
- we can only limit a package to a specific version, but not "remove" a |
41 |
complete package that we don't want to support (under the assumption |
42 |
that we're not going to support the whole tree) |
43 |
- I doubt that a "packages" file with several hundred (or thousand) |
44 |
entries is someting most developers want to maintain |
45 |
- As Spider has already mentioned: It doesn't guarantee a definite base |
46 |
system as the tree (including the profile) can change over time. |
47 |
|
48 |
That leaves us with option b): We already offer tarballs of the portage |
49 |
tree, including the tarballs used to create our releases. People even |
50 |
have to use them if they want to use GRP. As people already know how to |
51 |
use them I'd suggest that we use tarballs to provide our frozen tree |
52 |
(wether we use the existing ones or create special ones is open for |
53 |
discussion). As this GLEP is looking for a long-term solution we can |
54 |
probably rely on some portage modifications that will be included in the |
55 |
version after 2.0.51 that will enhance our `emerge sync` mechanisms |
56 |
greatly (removing the need for emerge-webrsync and gensync). With these |
57 |
modifications we can set SYNC to our tarball and offer updates over |
58 |
rsync/cvs/tarballs/other transport that will be stored in an overlay, |
59 |
that overlay can then by synced with `emerge --sync updates` ("updates" |
60 |
is just an example, we can use any name there). |
61 |
(Anyone interested in the details of the modification see bug 35535). |
62 |
|
63 |
Marius |