1 |
On Sat, Feb 17, 2018 at 4:07 PM, Daniel Robbins <drobbins@××××××.org> wrote: |
2 |
> |
3 |
> First, if chromium isn't shipping a stable upstream release, then the |
4 |
> chromium or "browser-kit" kit can select a version that has undergone some |
5 |
> testing and is known to be reliable, and make sure this ends up in the |
6 |
> "prime" kit. The latest dev releases can be added to the "dev" kit of |
7 |
> 'browser-kit'. |
8 |
> |
9 |
|
10 |
I think I need to clarify what I meant regarding QA. In Gentoo we |
11 |
have QA standards that are universal, and other standards that govern |
12 |
keywording in particular. |
13 |
|
14 |
If we went to an overlay-based system we could either hold all the |
15 |
overlays to the same standards, or allow them to vary. If we allow |
16 |
them to vary then we need ways to categorize the various QA standards |
17 |
so that people can control what they're getting. |
18 |
|
19 |
This has nothing to do with what upstream considers stable/beta/etc. |
20 |
To help reduce confusion I will change "stable" to "supported." |
21 |
|
22 |
For example, for an overlay to be considered "supported" it might be |
23 |
required to: |
24 |
1. Address security bugs in accordance with policies like: "A Gentoo |
25 |
package found on 5%+ of user installs that allows remote execution of |
26 |
arbitrary code must be fixed within 1 day." (Which is a Gentoo policy |
27 |
currently [1].) |
28 |
2. Not keyword packages as stable for 30 days except as required for |
29 |
security vulnerabilities. |
30 |
3. Not remove the highest-numbered stable-keyworded version of a package. |
31 |
4. Never contain errors detectable by repoman. |
32 |
|
33 |
On the other hand, an overlay considered experimental might not have |
34 |
to follow any of those rules. |
35 |
|
36 |
Suppose the chromium team has a bleeding-edge repository where they |
37 |
often have repoman errors, but it is tagged experimental. This would |
38 |
not be a problem. However, devs who want to use chromium without the |
39 |
repoman errors might be forced to fork this and create a "supported" |
40 |
chromium overlay. This may or may not actually contain stable |
41 |
keywords. |
42 |
|
43 |
Now, we can of course choose to simply impose QA standards top-down on |
44 |
all overlays that are a part of this scheme and avoid some of this. |
45 |
Maybe core packages would have higher standards than non-core, but |
46 |
that would be it, and nobody would be allowed to have things like |
47 |
repoman errors or persistent security vulnerabilities in one of these |
48 |
new overlays. However, this does reduce the flexibility (and |
49 |
complexity) of such a scheme. |
50 |
|
51 |
I'd also note that we could apply these kinds of QA labels to overlays |
52 |
informationally. By this I mean that as far as policy is concerned |
53 |
everything would be held to a defined standard, however some process |
54 |
would provide additional descriptive labels to overlays to indicate |
55 |
whether they exceed or fall short of the standard. For example, an |
56 |
automated process might review all security bugs in the last six |
57 |
months and measure their timings and grade the overlay against our |
58 |
goals. While this could be used to prod projects that fall short it |
59 |
could just as easily be aimed more that users who would be interested |
60 |
in knowing that a particular overlay delivers a very high level of |
61 |
quality so that they can use this information to guide their own risk |
62 |
management. |
63 |
|
64 |
Finally, as an example of a somewhat cheaper buffer that already |
65 |
exists in Gentoo I'd consider the stable mirror: |
66 |
https://github.com/gentoo-mirror/gentoo |
67 |
|
68 |
The stable branch (which is the default) on this only pulls from the |
69 |
gentoo-x86 master when it passes all repoman checks. When somebody |
70 |
makes a broken commit it simply pauses the stable branch until it is |
71 |
fixed, and users of this branch would never see the problem. This |
72 |
isn't really the same thing, but it is an example of a cheap solution. |
73 |
|
74 |
|
75 |
1 - https://www.gentoo.org/support/security/vulnerability-treatment-policy.html |
76 |
|
77 |
-- |
78 |
Rich |