1 |
On Mon, 2019-02-04 at 20:14 +0200, Joonas Niilola wrote: |
2 |
> On 2/4/19 7:38 PM, Michał Górny wrote: |
3 |
> > Reviews can be done by devs or privileges users. Review by dev gives 3 |
4 |
> > rep points, and by privileged user gives 1 rep point. Therefore, |
5 |
> > a commit is merged if it's either reviewed by dev or 3 privileged users. |
6 |
> |
7 |
> This could be 'exploited' with a group of friends. By exploited I mean |
8 |
> small inner circles forming, where people just approve their friends |
9 |
> commits without looking at them. |
10 |
|
11 |
You can never prevent exploitation. However, you can make it harder |
12 |
and I think this model (possibly with n>3) works towards that goal. If |
13 |
we notice people doing bad stuff, we can always ban them and regaining |
14 |
the privileges makes things non-trivial enough. |
15 |
|
16 |
> What about ebuilds not many people have knowledge of? Say, java stuff? |
17 |
> If no user wants to take a look, it will always require a review from a |
18 |
> dev, and judging how that goes even with current Github PRs, will it |
19 |
> _ever_ get approved here? |
20 |
|
21 |
The main purpose of the review is to block malicious stuff from going |
22 |
unnoticed, not provide ::gentoo-level of thorough code reviews. I think |
23 |
most of the people will be able to spot suspicious stuff, independently |
24 |
of language or build system. If it is hidden well enough, then I doubt |
25 |
trained Java people would notice it either. |
26 |
|
27 |
> What would motivate a developer to review these ebuilds, if there's |
28 |
> still separate proxy-maint stuff to work on? |
29 |
|
30 |
Ideally, the system would work without developer intervention. Once |
31 |
enough users gain review privileges, the system becomes self-sustainable |
32 |
and developer intervention is limited to reacting on flagged commits. |
33 |
|
34 |
> Users gain reviewing privilege also via reputation points. If a commit |
35 |
> > range including user's commit gets merged to master, user gets 1 rep |
36 |
> > point (independently of number of commits in the range). When user gets |
37 |
> > 5 rep points, he can start reviewing stuff. |
38 |
> |
39 |
> So this requires people to make commits to this overlay before being |
40 |
> able to review there? Some system should exist, where for example your |
41 |
> commits to ::gentoo counts toward this. Otherwise this could encourage |
42 |
> people to make meaningless commits just to satisfy the counter. |
43 |
|
44 |
1) You get only one point for the whole series of commits, so making |
45 |
extra commits for the sake of it doesn't grant you anything. |
46 |
|
47 |
2) I suppose it'd make sense to make it possible for reviewers to decide |
48 |
if they grant committers reputation points. So if you made meaningless |
49 |
commits, the reviewer would just uncheck a box next to your name and you |
50 |
wouldn't gain anything. |
51 |
|
52 |
> > Your updated thoughts? |
53 |
> > |
54 |
> |
55 |
> _If_ in this approach a dev is still needed for merging stuff in the |
56 |
> end, couldn't this somehow be applied to how the current proxy-maint |
57 |
> system works? |
58 |
> |
59 |
> |
60 |
> Is there a chance these ebuilds could end up in ::gentoo? _Could_ there |
61 |
> be some voting system for that (although I believe that kills the |
62 |
> incentive of ever adding this overlay as a user)? |
63 |
|
64 |
Voting won't help proxy-maint. Active contributors pre-reviewing stuff |
65 |
and helping get it improved does but it's still a lot of effort from |
66 |
developers. |
67 |
|
68 |
The point is, as long as it's not ::gentoo, we can live with ebuilds |
69 |
that fail to build due to silly mistakes or otherwise need improvement. |
70 |
Testing stuff for ::gentoo is much more effort. |
71 |
|
72 |
> And as asked by someone in the previous thread, what's the plan of |
73 |
> cleaning the overlay every now and then? (How?) |
74 |
|
75 |
Up to the users. |
76 |
|
77 |
> |
78 |
> Who takes care of broken packages? |
79 |
> |
80 |
|
81 |
Up to you. You either fix it, or if it's broken beyond repair, you |
82 |
remove it. Possibly plus revdeps. |
83 |
|
84 |
The whole point of it being user repository is that users are supposed |
85 |
to do the work. Just imagine you're a Gentoo developer and you need to |
86 |
make sure your repository is neat. |
87 |
|
88 |
-- |
89 |
Best regards, |
90 |
Michał Górny |