| 1 |
On Monday 08 November 2004 13:15, Alexander Holler wrote: |
| 2 |
> In the bug I mentioned in my second post, I explain that the trojan for |
| 3 |
> ebuilds is also usable on eclasses (which I've missed because they where |
| 4 |
> relativly new and I've never used them). Ok, unrelated according to you. |
| 5 |
|
| 6 |
This is unrelated to versioning of eclasses. There is another bug open for |
| 7 |
signing of eclasses. |
| 8 |
|
| 9 |
> And the second post, I also have reminder on the first post, where the |
| 10 |
> first bug is mentioned where I explain how a list with hashes would |
| 11 |
> help. Ok, very complicated and unrelated too. |
| 12 |
|
| 13 |
Nobody denied that they wouldn't help. Scaring people definately does not help |
| 14 |
though. |
| 15 |
|
| 16 |
> > So, let me give you an account of where I see things are at: |
| 17 |
> > * SHA1 support is in portage but can't be enabled yet due to |
| 18 |
> > compatibility issues. That is, enabling it will prevent user's running |
| 19 |
> > <portage-2.0.51 from being able to upgrade. |
| 20 |
> |
| 21 |
> I still don't understand why just building a list with hashes (maybe |
| 22 |
> signed) takes over 2 years. |
| 23 |
|
| 24 |
I came on board with the portage team 12 months ago. One dev left and there is |
| 25 |
one new dev since then, which makes five. All of us are busy with non-Gentoo |
| 26 |
work, especially over the last several months. I'd estimate a total of 40-50 |
| 27 |
man-hours put into portage each week. |
| 28 |
|
| 29 |
Those 40-50 hours mostly go toward bug fixing as portage the code is a mess. |
| 30 |
It's become a mess because of the push to get this, that and the other |
| 31 |
feature in as quickly as possible. To give you a visible example, take the |
| 32 |
recent GPG signing support. Search bugs.g.o for gpg signing and have a look |
| 33 |
how many there are. How about glsa-check? |
| 34 |
|
| 35 |
Most features in portage are implemented in a very hackish way because people |
| 36 |
are always screaming "NOW!!!". The main focus of the team right now is to |
| 37 |
clean up that mess so that new features can be implemented quickly, easily |
| 38 |
and without an ensuing torrent of bug reports. |
| 39 |
|
| 40 |
> > The thing you seem to keep coming back to is why it hasn't already been |
| 41 |
> > completed. You've been given the answer to that several times - lack of |
| 42 |
> > time and higher priority issues. What I really would like to know is why |
| 43 |
> > you are |
| 44 |
> |
| 45 |
> Things like FEATURES="candy"? |
| 46 |
|
| 47 |
This combined with "emerge moo" was perhaps a max total of 2 hours work. Are |
| 48 |
you suggesting that we should not spend a trivial amount of our volunteer |
| 49 |
time adding something that is welcomed by many? |
| 50 |
|
| 51 |
Regards, |
| 52 |
Jason Stubbs |
| 53 |
|
| 54 |
-- |
| 55 |
gentoo-security@g.o mailing list |
Archives