| 1 |
On Mon, 2019-02-04 at 20:14 +0200, Joonas Niilola wrote: |
| 2 |
> On 2/4/19 7:38 PM, Michał Górny wrote: |
| 3 |
> > Reviews can be done by devs or privileges users. Review by dev gives 3 |
| 4 |
> > rep points, and by privileged user gives 1 rep point. Therefore, |
| 5 |
> > a commit is merged if it's either reviewed by dev or 3 privileged users. |
| 6 |
> |
| 7 |
> This could be 'exploited' with a group of friends. By exploited I mean |
| 8 |
> small inner circles forming, where people just approve their friends |
| 9 |
> commits without looking at them. |
| 10 |
|
| 11 |
You can never prevent exploitation. However, you can make it harder |
| 12 |
and I think this model (possibly with n>3) works towards that goal. If |
| 13 |
we notice people doing bad stuff, we can always ban them and regaining |
| 14 |
the privileges makes things non-trivial enough. |
| 15 |
|
| 16 |
> What about ebuilds not many people have knowledge of? Say, java stuff? |
| 17 |
> If no user wants to take a look, it will always require a review from a |
| 18 |
> dev, and judging how that goes even with current Github PRs, will it |
| 19 |
> _ever_ get approved here? |
| 20 |
|
| 21 |
The main purpose of the review is to block malicious stuff from going |
| 22 |
unnoticed, not provide ::gentoo-level of thorough code reviews. I think |
| 23 |
most of the people will be able to spot suspicious stuff, independently |
| 24 |
of language or build system. If it is hidden well enough, then I doubt |
| 25 |
trained Java people would notice it either. |
| 26 |
|
| 27 |
> What would motivate a developer to review these ebuilds, if there's |
| 28 |
> still separate proxy-maint stuff to work on? |
| 29 |
|
| 30 |
Ideally, the system would work without developer intervention. Once |
| 31 |
enough users gain review privileges, the system becomes self-sustainable |
| 32 |
and developer intervention is limited to reacting on flagged commits. |
| 33 |
|
| 34 |
> Users gain reviewing privilege also via reputation points. If a commit |
| 35 |
> > range including user's commit gets merged to master, user gets 1 rep |
| 36 |
> > point (independently of number of commits in the range). When user gets |
| 37 |
> > 5 rep points, he can start reviewing stuff. |
| 38 |
> |
| 39 |
> So this requires people to make commits to this overlay before being |
| 40 |
> able to review there? Some system should exist, where for example your |
| 41 |
> commits to ::gentoo counts toward this. Otherwise this could encourage |
| 42 |
> people to make meaningless commits just to satisfy the counter. |
| 43 |
|
| 44 |
1) You get only one point for the whole series of commits, so making |
| 45 |
extra commits for the sake of it doesn't grant you anything. |
| 46 |
|
| 47 |
2) I suppose it'd make sense to make it possible for reviewers to decide |
| 48 |
if they grant committers reputation points. So if you made meaningless |
| 49 |
commits, the reviewer would just uncheck a box next to your name and you |
| 50 |
wouldn't gain anything. |
| 51 |
|
| 52 |
> > Your updated thoughts? |
| 53 |
> > |
| 54 |
> |
| 55 |
> _If_ in this approach a dev is still needed for merging stuff in the |
| 56 |
> end, couldn't this somehow be applied to how the current proxy-maint |
| 57 |
> system works? |
| 58 |
> |
| 59 |
> |
| 60 |
> Is there a chance these ebuilds could end up in ::gentoo? _Could_ there |
| 61 |
> be some voting system for that (although I believe that kills the |
| 62 |
> incentive of ever adding this overlay as a user)? |
| 63 |
|
| 64 |
Voting won't help proxy-maint. Active contributors pre-reviewing stuff |
| 65 |
and helping get it improved does but it's still a lot of effort from |
| 66 |
developers. |
| 67 |
|
| 68 |
The point is, as long as it's not ::gentoo, we can live with ebuilds |
| 69 |
that fail to build due to silly mistakes or otherwise need improvement. |
| 70 |
Testing stuff for ::gentoo is much more effort. |
| 71 |
|
| 72 |
> And as asked by someone in the previous thread, what's the plan of |
| 73 |
> cleaning the overlay every now and then? (How?) |
| 74 |
|
| 75 |
Up to the users. |
| 76 |
|
| 77 |
> |
| 78 |
> Who takes care of broken packages? |
| 79 |
> |
| 80 |
|
| 81 |
Up to you. You either fix it, or if it's broken beyond repair, you |
| 82 |
remove it. Possibly plus revdeps. |
| 83 |
|
| 84 |
The whole point of it being user repository is that users are supposed |
| 85 |
to do the work. Just imagine you're a Gentoo developer and you need to |
| 86 |
make sure your repository is neat. |
| 87 |
|
| 88 |
-- |
| 89 |
Best regards, |
| 90 |
Michał Górny |
Archives