1 |
On Monday 08 November 2004 13:15, Alexander Holler wrote: |
2 |
> In the bug I mentioned in my second post, I explain that the trojan for |
3 |
> ebuilds is also usable on eclasses (which I've missed because they where |
4 |
> relativly new and I've never used them). Ok, unrelated according to you. |
5 |
|
6 |
This is unrelated to versioning of eclasses. There is another bug open for |
7 |
signing of eclasses. |
8 |
|
9 |
> And the second post, I also have reminder on the first post, where the |
10 |
> first bug is mentioned where I explain how a list with hashes would |
11 |
> help. Ok, very complicated and unrelated too. |
12 |
|
13 |
Nobody denied that they wouldn't help. Scaring people definately does not help |
14 |
though. |
15 |
|
16 |
> > So, let me give you an account of where I see things are at: |
17 |
> > * SHA1 support is in portage but can't be enabled yet due to |
18 |
> > compatibility issues. That is, enabling it will prevent user's running |
19 |
> > <portage-2.0.51 from being able to upgrade. |
20 |
> |
21 |
> I still don't understand why just building a list with hashes (maybe |
22 |
> signed) takes over 2 years. |
23 |
|
24 |
I came on board with the portage team 12 months ago. One dev left and there is |
25 |
one new dev since then, which makes five. All of us are busy with non-Gentoo |
26 |
work, especially over the last several months. I'd estimate a total of 40-50 |
27 |
man-hours put into portage each week. |
28 |
|
29 |
Those 40-50 hours mostly go toward bug fixing as portage the code is a mess. |
30 |
It's become a mess because of the push to get this, that and the other |
31 |
feature in as quickly as possible. To give you a visible example, take the |
32 |
recent GPG signing support. Search bugs.g.o for gpg signing and have a look |
33 |
how many there are. How about glsa-check? |
34 |
|
35 |
Most features in portage are implemented in a very hackish way because people |
36 |
are always screaming "NOW!!!". The main focus of the team right now is to |
37 |
clean up that mess so that new features can be implemented quickly, easily |
38 |
and without an ensuing torrent of bug reports. |
39 |
|
40 |
> > The thing you seem to keep coming back to is why it hasn't already been |
41 |
> > completed. You've been given the answer to that several times - lack of |
42 |
> > time and higher priority issues. What I really would like to know is why |
43 |
> > you are |
44 |
> |
45 |
> Things like FEATURES="candy"? |
46 |
|
47 |
This combined with "emerge moo" was perhaps a max total of 2 hours work. Are |
48 |
you suggesting that we should not spend a trivial amount of our volunteer |
49 |
time adding something that is welcomed by many? |
50 |
|
51 |
Regards, |
52 |
Jason Stubbs |
53 |
|
54 |
-- |
55 |
gentoo-security@g.o mailing list |