Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed]
Mon, 04 Feb 2019 14:25:47
On 2/4/19 9:02 AM, Michał Górny wrote:
> What is that reason? How is 'blindly accepting community contributions'
> different from 'blindly accepting new developers'? In the former case,
> at least we're not pretending things are secure when they're not.
The difference is the amount of effort and foresight involved (which, by
the way, increases with the recent WoT proposal).
It took a few months worth of nights and weekends to become a developer.
Yes, I can commit something malicious -- it will work, and then my
credentials will be revoked. Now if I want to do it again, I have to
come up with a fake name and fake online identity, and then spend at
least a couple weeks re-earning my developer status. As lots of
potential developers (including myself at one time) have pointed out,
that all sucks and nobody wants to do it.
But, with an "official" completely unreviewed repository, I can
compromise everyone who uses it immediately and then do the same thing
again tomorrow. I still think there's some value to it, but it can't be
completely unreviewed and also occupy the same keyword space.