| 1 |
On Fri, 09 Jun 2006 13:08:01 +0200, Henrik Brix Andersen wrote: |
| 2 |
|
| 3 |
> On Thu, Jun 08, 2006 at 06:31:43PM -0400, Peter wrote: |
| 4 |
>> And, for me again as a user, using a gentoo-hosted overlay is |
| 5 |
>> preferable to a third party repository. This is a personal bias on my |
| 6 |
>> part -- and maybe unwarranted. |
| 7 |
> |
| 8 |
> This is actually my main concern with the Sunrice project. You say you |
| 9 |
> would prefer a gentoo-hosted overlay to a third party repository. Why is |
| 10 |
> that? I can only assume it's because you think "hey, it's officially |
| 11 |
> endorsed by Gentoo, the same people who maintain the other official |
| 12 |
> ebuilds - so it must be ok". |
| 13 |
> |
| 14 |
> I suspect most users will think similar and will come yelling at us, or |
| 15 |
> even worse - at upstream, when something in this overlay breaks and |
| 16 |
> leaves their computer as expensive paper weight (at least until they've |
| 17 |
> formattet and started over). |
| 18 |
> |
| 19 |
> Regards, |
| 20 |
> Brix |
| 21 |
|
| 22 |
I don't think so. I look forward to the sunrise (sorry I called it |
| 23 |
sunshine earlier, it was late) project because of two reasons. |
| 24 |
|
| 25 |
Firstly, I think it is very clear that anything in sunrise is experimental |
| 26 |
or not supported in the main gentoo tree. That's fine! I don't think any |
| 27 |
user who goes through the trouble to set up an overlay would miss that |
| 28 |
point. You can't go to o.g.o and not see the disclaimers. And, anyone who |
| 29 |
goes through the trouble to svn the overlay, edit make.conf, etc., would |
| 30 |
not be an ignorant newbie (no disrespect to newbies intended). Anyone who |
| 31 |
fetches the sunrise overlay would know exactly what he/she intends to do |
| 32 |
and why. Much different than emerge --sync with keyword x86. |
| 33 |
|
| 34 |
Secondly, my bias against a third party repository is perhaps unwarranted. |
| 35 |
I am sure the bmg site is excellent and the people running it are |
| 36 |
well-intentioned and experienced. However, that said, as a user, I have a |
| 37 |
higher comfort level staying in the gentoo.realm. |
| 38 |
|
| 39 |
Thirdly, the opportunity to be able to publish ebuilds that would |
| 40 |
otherwise languish in bugzilla is very exciting. I think it also gives the |
| 41 |
bugday people an opportunity to close out bugs. Despite what others have |
| 42 |
written, having multi-year old bugs is very counter productive. If |
| 43 |
something has not been fixed in so long, it probably either can't be |
| 44 |
fixed, or may not even apply anymore. I know this is a generalization, but |
| 45 |
if a bug was filed against gentoo 2004.3, who knows if it still applies |
| 46 |
with gentoo 2006.0. Especially if there has been little or no activity. |
| 47 |
|
| 48 |
Personally, I don't see the conflict, or the risk, or the additional work |
| 49 |
for devs. In fact, I see the opposite. Removing maintainer-wanted bugs is |
| 50 |
a net positive. If that means the proposed ebuild lives in o.g.o that's |
| 51 |
fine. Just point users who see the bug over to it. And, if an ebuild |
| 52 |
proves to be useful, or popular, it's conceivable that it could ultimately |
| 53 |
find its way over to the main tree. |
| 54 |
|
| 55 |
As for the more sinister aspects of a rogue ebuild finding its way onto |
| 56 |
o.g.o, sure that's a possibility. However, any dev could do the same in |
| 57 |
portage because they have commit access (and the problem may not be |
| 58 |
caught right away). Moreover, it's possible that an ebuild may be fine, |
| 59 |
but a particular version of a package tarball could have outright |
| 60 |
malicious code or an undetected security hole in it that has not been |
| 61 |
caught yet. That could find its way onto portage too. IMHO, I don't see |
| 62 |
any more risk to security in o.g.o. |
| 63 |
|
| 64 |
Again, I think you need to consider your audience for o.g.o. The newbie |
| 65 |
won't be there or be syncing to o.g.o. The server admin probably would not |
| 66 |
be there either for updating a production machine. I think the main |
| 67 |
audience for o.g.o. would be the power user, or the wannabe power user or |
| 68 |
certain project teams, or people with a particular interest or need in a |
| 69 |
project not hosted on the main tree -- that is people who actively need |
| 70 |
sunrise's services. |
| 71 |
|
| 72 |
And, looking at this from a broader perspective, I see this as a real |
| 73 |
enhancement to gentoo. Offering an experimental tree for packages not |
| 74 |
intended or not wanted in the main tree. This is an added benefit, it |
| 75 |
demonstrates a policy of inclusion, not exclusion. It shows a willingness |
| 76 |
to push the envelope and give certain packages a home where they would not |
| 77 |
normally get one. |
| 78 |
|
| 79 |
-- |
| 80 |
Peter |
| 81 |
|
| 82 |
|
| 83 |
-- |
| 84 |
gentoo-dev@g.o mailing list |
Archives