1 |
On Fri, 2006-06-09 at 02:53 +0200, Stefan Schweizer wrote: |
2 |
> Stefan Schweizer wrote: |
3 |
> it is actually encouraged to update bugzilla when changes are made in the |
4 |
> overlay. |
5 |
|
6 |
Encouraged? If you leave it at that, people will forget, and things will |
7 |
get out of sync. At the very least you should supply per-package rss |
8 |
feeds and email subscriptions. Otherwise this will be a downgrade in |
9 |
functionality from the current bugzilla system. (Which I think is |
10 |
perfectly fine as it is.) |
11 |
|
12 |
> The ebuilds have a quality, repoman is required to be run. Also contributors |
13 |
> should be knowing what they are doing - they are submitting an ebuild to |
14 |
> the sunrise overlay, it needs to follow certain standards. |
15 |
|
16 |
And what if they do know what they're doing, and what they're doing is |
17 |
subverting Gentoo systems en masse? You're proposing to hand out commit |
18 |
access to anyone who makes a case on IRC; you have no way to tell that |
19 |
they aren't an attacker. |
20 |
|
21 |
Part of the reason becoming a dev is expensive is that it provides a |
22 |
barrier for attackers (and gives recruiters time to check that the |
23 |
candidate is who they claim to be). By using Gentoo resources for this |
24 |
project you're implying that the ebuilds can be trusted; hordes of users |
25 |
*will* sync with the sunrise overlay, giving an attractive target to |
26 |
attackers. (Or what if they're attacking overlays.gentoo.org itself? |
27 |
This stuff is shell code; some well-meaning person's going to source it |
28 |
at some point.) |
29 |
|
30 |
And similarly, Gentoo's reputation would be immeasurably damaged if an |
31 |
attacker succeeded in sneaking malicious code in. (Don't say you'll |
32 |
review it; can you review every line of a 20K gcc4-compatibility patch? |
33 |
Have you read the Underhanded C Contest?[1]) |
34 |
|
35 |
|
36 |
Ed |
37 |
|
38 |
|
39 |
[1] http://www.brainhz.com/underhanded/ |
40 |
|
41 |
|
42 |
-- |
43 |
gentoo-dev@g.o mailing list |