Gentoo Archives: gentoo-project

From: Rich Freeman <rich0@g.o>
To: gentoo-project <gentoo-project@l.g.o>
Subject: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed]
Date: Mon, 04 Feb 2019 14:35:34
In Reply to: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed] by "Michał Górny"
On Sun, Feb 3, 2019 at 2:28 PM Michał Górny <mgorny@g.o> wrote:
> > 1. Should the access be open or explicitly granted? If the latter, how > should we determine whether to grant access for a particular > contributor? >
Obviously we're going for a low barrier to entry here. However, I think there needs to be SOME kind of reputation system in place (not necessarily at time of account creation) otherwise we're going to be open to completely trivial attacks. One thing I don't like about AUR is that fairly non-exotic packages end up residing there solely, and updating these becomes tedious, because you basically have to protect yourself against the script kiddies. I don't think our intent here is to have the main repository focus mainly on @system though, so this might not be as much of an issue. We probably do need to have some way to keep users from just shooting themselves in the foot. Unless we have a really strong vetting process for packages in this alternate repository we're not going to want to have people just blindingly accepting updates from there. All that said I think the "AUR Helper" approach Arch uses is a pretty clunky approach. I feel like there ought to be some kind of reputation-based solution where users can earn karma based on actual contributions and then for updates to be eligible for keywording or whatever they have to be endorsed by users with enough collective karma or something. Obviously that is way less trivial to build than a random git repo that lots of people can push to or whatever. If we had a reputation-based system then anybody could be allowed to submit ebuilds without any vetting, since they wouldn't actually become keyworded/effective/published/whatever until they get vouched for. However, we'd have to avoid a system where account spam can be used to play karma games quickly and sneak in packages. Another approach would be a WoT-like system where users pick what other users THEY trust and the package manager understands this, so only ebuilds endorsed by that other user are accepted. Maybe like GPG there can be trust levels/scores so that more than one endorsement is allowed. Being end-user-driven this would be much less susceptible to karma games. It probably would require a lot less micromanagement as well and there are no longer arguments over who should/shouldn't get karma as every end user gets to decide for themselves. On the flip side it does let users shoot themselves in the foot, which I guess is how we tend to roll here... Really, though, you have to expect that something like this is going to get abused. I think the key is to make abuse non-trivial so that we aren't playing whack-a-mole with rootkit installers. -- Rich