Gentoo Archives: gentoo-project

From: Michael Orlitzky <mjo@g.o>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed]
Date: Mon, 04 Feb 2019 14:25:47
Message-Id: a4f8a074-0f52-1a5d-edaf-09bd3982b8ed@gentoo.org
In Reply to: Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed] by "Michał Górny"
On 2/4/19 9:02 AM, Michał Górny wrote:
> > What is that reason? How is 'blindly accepting community contributions' > different from 'blindly accepting new developers'? In the former case, > at least we're not pretending things are secure when they're not. >
The difference is the amount of effort and foresight involved (which, by the way, increases with the recent WoT proposal). It took a few months worth of nights and weekends to become a developer. Yes, I can commit something malicious -- it will work, and then my credentials will be revoked. Now if I want to do it again, I have to come up with a fake name and fake online identity, and then spend at least a couple weeks re-earning my developer status. As lots of potential developers (including myself at one time) have pointed out, that all sucks and nobody wants to do it. But, with an "official" completely unreviewed repository, I can compromise everyone who uses it immediately and then do the same thing again tomorrow. I still think there's some value to it, but it can't be completely unreviewed and also occupy the same keyword space.