1 |
On Wednesday 08 September 2004 4:26 am, Jason Stubbs wrote: |
2 |
> On Wednesday 08 September 2004 03:14, Kurt Lieber wrote: |
3 |
> > On Tue, Sep 07, 2004 at 07:09:27PM +0200 or thereabouts, Christian |
4 |
> > Parpart |
5 |
> |
6 |
> wrote: |
7 |
> > > Some questions remain anyway. WHO exactly may submit (have write |
8 |
> > > access), and, how to get into this new idea to get a bit more attention |
9 |
> > > in public? |
10 |
> > |
11 |
> > Well, ideally, everyone would have write access. If that freaks people |
12 |
> > out a bit too much, then you could have some sort of cursory review |
13 |
> > process where a group of people review ebuilds to make sure they don't |
14 |
> > have any nastiness in them. |
15 |
> > |
16 |
> > If you restrict who can access the system too much, then you end up where |
17 |
> > we are now, with no net improvement. |
18 |
> > |
19 |
> > As for getting more attention to it -- start up threads on -dev asking |
20 |
> > for ideas. Write a GLEP. Make a fuss. :) |
21 |
> > |
22 |
> > BTW, one very real criticism of my original idea that will need to be |
23 |
> > addressed if anything is to be approved is ongoing maintainership of |
24 |
> > these user-submitted ebuilds. It's one thing to submit an ebuild via |
25 |
> > this fancy new system, but when that package has a security problem, |
26 |
> > someone needs to be there to bump the ebuild. You should not expect the |
27 |
> > current devs to take on this responsibility, nor should you expect the |
28 |
> > security team to. There will need to be some provisions made for ongoing |
29 |
> > support of these ebuilds. |
30 |
> |
31 |
> Not really the correct place for this (at first I thought you were going to |
32 |
> suggest super-stable as the fourth tier ;) but the other major concern is |
33 |
> quality and affects on supported ebuilds. For example, a user-contributed |
34 |
> gnome-libs-cvs breaks gnucash and then the gnucash dev has to stumble |
35 |
> around trying to figure out what's wrong until the user finally says that |
36 |
> they are using gnome-libs-cvs... I guess this could be worked around by |
37 |
> disallowing contributed ebuilds for official packages. |
38 |
|
39 |
Not if we stick on digital signature that athe host admin must trust to. |
40 |
Ebuilds the host admin does *not* trust to, are not taken into account by |
41 |
emerge. This is, how I believe it SHALL work, and how I'd like to see such |
42 |
policies some time. Also, at least now, at least right here, the need is |
43 |
there :) |
44 |
|
45 |
Regards, |
46 |
Christian Parpart. |
47 |
|
48 |
-- |
49 |
11:12:00 up 14 days, 22:51, 1 user, load average: 0.23, 0.25, 0.20 |