| 1 |
On Sat, Feb 17, 2018 at 4:07 PM, Daniel Robbins <drobbins@××××××.org> wrote: |
| 2 |
> |
| 3 |
> First, if chromium isn't shipping a stable upstream release, then the |
| 4 |
> chromium or "browser-kit" kit can select a version that has undergone some |
| 5 |
> testing and is known to be reliable, and make sure this ends up in the |
| 6 |
> "prime" kit. The latest dev releases can be added to the "dev" kit of |
| 7 |
> 'browser-kit'. |
| 8 |
> |
| 9 |
|
| 10 |
I think I need to clarify what I meant regarding QA. In Gentoo we |
| 11 |
have QA standards that are universal, and other standards that govern |
| 12 |
keywording in particular. |
| 13 |
|
| 14 |
If we went to an overlay-based system we could either hold all the |
| 15 |
overlays to the same standards, or allow them to vary. If we allow |
| 16 |
them to vary then we need ways to categorize the various QA standards |
| 17 |
so that people can control what they're getting. |
| 18 |
|
| 19 |
This has nothing to do with what upstream considers stable/beta/etc. |
| 20 |
To help reduce confusion I will change "stable" to "supported." |
| 21 |
|
| 22 |
For example, for an overlay to be considered "supported" it might be |
| 23 |
required to: |
| 24 |
1. Address security bugs in accordance with policies like: "A Gentoo |
| 25 |
package found on 5%+ of user installs that allows remote execution of |
| 26 |
arbitrary code must be fixed within 1 day." (Which is a Gentoo policy |
| 27 |
currently [1].) |
| 28 |
2. Not keyword packages as stable for 30 days except as required for |
| 29 |
security vulnerabilities. |
| 30 |
3. Not remove the highest-numbered stable-keyworded version of a package. |
| 31 |
4. Never contain errors detectable by repoman. |
| 32 |
|
| 33 |
On the other hand, an overlay considered experimental might not have |
| 34 |
to follow any of those rules. |
| 35 |
|
| 36 |
Suppose the chromium team has a bleeding-edge repository where they |
| 37 |
often have repoman errors, but it is tagged experimental. This would |
| 38 |
not be a problem. However, devs who want to use chromium without the |
| 39 |
repoman errors might be forced to fork this and create a "supported" |
| 40 |
chromium overlay. This may or may not actually contain stable |
| 41 |
keywords. |
| 42 |
|
| 43 |
Now, we can of course choose to simply impose QA standards top-down on |
| 44 |
all overlays that are a part of this scheme and avoid some of this. |
| 45 |
Maybe core packages would have higher standards than non-core, but |
| 46 |
that would be it, and nobody would be allowed to have things like |
| 47 |
repoman errors or persistent security vulnerabilities in one of these |
| 48 |
new overlays. However, this does reduce the flexibility (and |
| 49 |
complexity) of such a scheme. |
| 50 |
|
| 51 |
I'd also note that we could apply these kinds of QA labels to overlays |
| 52 |
informationally. By this I mean that as far as policy is concerned |
| 53 |
everything would be held to a defined standard, however some process |
| 54 |
would provide additional descriptive labels to overlays to indicate |
| 55 |
whether they exceed or fall short of the standard. For example, an |
| 56 |
automated process might review all security bugs in the last six |
| 57 |
months and measure their timings and grade the overlay against our |
| 58 |
goals. While this could be used to prod projects that fall short it |
| 59 |
could just as easily be aimed more that users who would be interested |
| 60 |
in knowing that a particular overlay delivers a very high level of |
| 61 |
quality so that they can use this information to guide their own risk |
| 62 |
management. |
| 63 |
|
| 64 |
Finally, as an example of a somewhat cheaper buffer that already |
| 65 |
exists in Gentoo I'd consider the stable mirror: |
| 66 |
https://github.com/gentoo-mirror/gentoo |
| 67 |
|
| 68 |
The stable branch (which is the default) on this only pulls from the |
| 69 |
gentoo-x86 master when it passes all repoman checks. When somebody |
| 70 |
makes a broken commit it simply pauses the stable branch until it is |
| 71 |
fixed, and users of this branch would never see the problem. This |
| 72 |
isn't really the same thing, but it is an example of a cheap solution. |
| 73 |
|
| 74 |
|
| 75 |
1 - https://www.gentoo.org/support/security/vulnerability-treatment-policy.html |
| 76 |
|
| 77 |
-- |
| 78 |
Rich |
Archives