| 1 |
On Wednesday 08 September 2004 4:26 am, Jason Stubbs wrote: |
| 2 |
> On Wednesday 08 September 2004 03:14, Kurt Lieber wrote: |
| 3 |
> > On Tue, Sep 07, 2004 at 07:09:27PM +0200 or thereabouts, Christian |
| 4 |
> > Parpart |
| 5 |
> |
| 6 |
> wrote: |
| 7 |
> > > Some questions remain anyway. WHO exactly may submit (have write |
| 8 |
> > > access), and, how to get into this new idea to get a bit more attention |
| 9 |
> > > in public? |
| 10 |
> > |
| 11 |
> > Well, ideally, everyone would have write access. If that freaks people |
| 12 |
> > out a bit too much, then you could have some sort of cursory review |
| 13 |
> > process where a group of people review ebuilds to make sure they don't |
| 14 |
> > have any nastiness in them. |
| 15 |
> > |
| 16 |
> > If you restrict who can access the system too much, then you end up where |
| 17 |
> > we are now, with no net improvement. |
| 18 |
> > |
| 19 |
> > As for getting more attention to it -- start up threads on -dev asking |
| 20 |
> > for ideas. Write a GLEP. Make a fuss. :) |
| 21 |
> > |
| 22 |
> > BTW, one very real criticism of my original idea that will need to be |
| 23 |
> > addressed if anything is to be approved is ongoing maintainership of |
| 24 |
> > these user-submitted ebuilds. It's one thing to submit an ebuild via |
| 25 |
> > this fancy new system, but when that package has a security problem, |
| 26 |
> > someone needs to be there to bump the ebuild. You should not expect the |
| 27 |
> > current devs to take on this responsibility, nor should you expect the |
| 28 |
> > security team to. There will need to be some provisions made for ongoing |
| 29 |
> > support of these ebuilds. |
| 30 |
> |
| 31 |
> Not really the correct place for this (at first I thought you were going to |
| 32 |
> suggest super-stable as the fourth tier ;) but the other major concern is |
| 33 |
> quality and affects on supported ebuilds. For example, a user-contributed |
| 34 |
> gnome-libs-cvs breaks gnucash and then the gnucash dev has to stumble |
| 35 |
> around trying to figure out what's wrong until the user finally says that |
| 36 |
> they are using gnome-libs-cvs... I guess this could be worked around by |
| 37 |
> disallowing contributed ebuilds for official packages. |
| 38 |
|
| 39 |
Not if we stick on digital signature that athe host admin must trust to. |
| 40 |
Ebuilds the host admin does *not* trust to, are not taken into account by |
| 41 |
emerge. This is, how I believe it SHALL work, and how I'd like to see such |
| 42 |
policies some time. Also, at least now, at least right here, the need is |
| 43 |
there :) |
| 44 |
|
| 45 |
Regards, |
| 46 |
Christian Parpart. |
| 47 |
|
| 48 |
-- |
| 49 |
11:12:00 up 14 days, 22:51, 1 user, load average: 0.23, 0.25, 0.20 |
Archives