Gentoo Archives: gentoo-project

From: "Michał Górny" <mgorny@g.o>
To: gentoo-project <gentoo-project@l.g.o>
Subject: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed]
Date: Sun, 03 Feb 2019 19:29:13
Message-Id: 1549222129.929.25.camel@gentoo.org
Hello,

I'd like to collect feedback on starting a new project focused
on providing a platform to users work on ebuilds without the explicit
need for developer intervention.


Why?
----
The current contribution platforms seem inadequate to the needs of our
users.  In particular:

- Submissions via Bugzilla etc. are inconvenient for anyone to use,
and basically rely on some developer taking them up and transferring
to ::gentoo.

- Proxy-maint requires a lot of effort for both contributors
and developers.  We're undermanned for quite some time and can't handle
all the contributions timely.  Plus, not every contributor wants to
become package maintainer.

- User repositories are cheap to create but cause ebuilds to be
scattered all over the place.  In the end, they're inconvenient to
users, and adding them and cleaning up unmaintained repos afterwards
costs me a lot of effort.

While all of those venues have their use case, we seem to lack something
akin Arch Linux's AUR.  What I'm specifically aiming for here is
a single place where users can maintain (or not) packages themselves
without unnecessary developer intervention.  Something like Sunrise,
except without reviews.


What do I propose?
------------------
GURU would be an official repository maintained entirely by Gentoo
users.  I'm thinking of Wiki-like workflow where anyone is allowed to
add new ebuilds or modify existing ebuilds, and users are expected to
keep order.  Gentoo developers would be allowed to contribute
on the same terms as users; official developer intervention would be
only used to resolve conflicts and other kinds of trouble.


Open issues
-----------
1. Should the access be open or explicitly granted?  If the latter, how
should we determine whether to grant access for a particular
contributor?

2. Where should it be hosted?  Gentoo Infra is unsuitable for open
access, as we would have to add all keys manually.  GitHub, GitLab, etc.
are all options.

3. How far should Gentoo policies apply?  I think we should enforce
sign-off per copyright policy but let users resolve issues beyond that.

4. Should it be purely for new packages, or should forking Gentoo
packages be allowed?  I'm thinking allowing forks for unmaintained
or severely outdated Gentoo packages makes sense.

5. And most importantly, what should the last 'U' stand for?  My initial
idea was 'Unreviewed' but I'm open to better-sounding ideas.


Foreseen Q&A
------------

* Will it replace proxy-maint?

No, proxy-maint will continue working as-is.  I expect some contributors
may switch over, and some will simply submit ebuilds both ways. 
Ideally, GURU may serve as initial ebuild improvement/proofreading
exercise before moving to ::gentoo.

* Why not revive Sunrise instead?

The problem with Sunrise is that it needs active developers.  Given that
it died pretty much because people lost interest, I don't think trying
to artificially revive it is going to help.  Instead, I'd like to try
something new and see how it works.

* Who will be allowed to commit?

The idea is that everybody will be allowed to commit.  I'm not planning
to enforce strong maintainer boundaries like in Gentoo.  However,
in the end I expect the people actually working on GURU to decide
and establish best practices themselves.

* What if somebody submits malware?

This risk is inevitable.  Hopefully, the Wiki-like workflow will
eventually create some kind of mutual review of new commits, and users
will look out for suspicious ebuilds.  Users will be able to revert them
themselves, and developers will block reported accounts if necessary.

That said, please remember that no other way of submitting ebuilds is
free of this risk.  Believe me, we don't really review the code of every
submitted package, and if somebody wrote a program with malicious
functionality and wanted to package it, it will probably be accepted.

* What if somebody misbehaves?

I think we will reserve the right to ban contributors who repeatedly
misbehave (e.g. remove packages, commit offensive stuff, etc.).


---
What do you think?

-- 
Best regards,
Michał Górny

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies