On Thu Oct 02, 2003 at 06:01:39AM -0400, Austin wrote: > >> You are all missing the easiest solution: > >> --- unite contib and main --- > > > >No way in hell... not the way things currently stand. > > >> The only drawbacks would be: > >> - more security updates (this could lead to safer distro though, ditch > >the > >> unsafe apps altogether) > > > >Really? Some of those things are in contribs for precisely that reason... > >people need/want the apps but we've recognized them as being unsafe(ish). > >Which would involve more QA, more testing, more post-release support, more > >developers paying attention to what's in contribs, and just plain old more > >of everything. > > Which would not be a problem if we had fewer packges AND more help, right? > Both of these things are possible in the future.
Right. But we have fewer packages by just supporting main right now. It can be (somewhat) adequately handled as things stand now (this is why the EOL policy was put into place). Doubling up the number of packages effectively doubles my workload. Not a very cool thing. > >The more packages > >we provide, the more room for error, the more bugs, the more post-release > >support, the more QA, the more testing, the more validation... can I say > >"more more more"? =) > > More support, more QA, more testing, and more validation sounds like a GOOD > thing to me... Yes! But on the current set of packages. =) We need more of that already (in my mind). Throwing more stuff into the mix just makes it that much harder. > >I didn't know we were in a contest for the number of packages we provided. > >I thought the question was quality, not quantity. > > It's not a contest. It's letting the end user get his work done. I don't > know if you're in any LUG's or other mailing lists, but most people I get > support questions from DON'T use contribs. They download single RPMs, frig > around with dependencies, then nothing works, then they ask for help. Yeah, I'm on a number of mailing lists and active on my own LUG list. No, a number of them don't use contribs. I don't encourage it unless there is a package there that they need. But I don't discourage it either. This is also an opportunity to tell them about urpmi. > Why the hell can we ship them contrib apps on a CD, but not have an > automated way for them to setup a contrib repository at installation time? > (No, urpmi. setup is not an obvious command for a new user to run) If you buy the powerpack, does the installer not ask you what CDs you have? I didn't realize it omitted the contribs CD that came with the pack. > >SNF is dead. MNF still exists, and Corporate Server is what you mean to > >refer to (MNF is not server-specific, it's application-specific). > > Okay, let me rephrase. There could be a server-specific version without > the contribs stuff. Which would be Corporate Server. > >I am not at all interested in supporting a merger of contribs and main > >unless there is a *lot* more help in supporting it. > > It would not be possible otherwise... I wasn't proposing doing it > tomorrow. If 9.2 gets lots of press, and we publicise the wiki as much as > possible, and we make it easy and inviting for new contributors (it's not > exactly so now), we should be able to attract more help, them people like > Gotz, Per Oyvind, and i wouldn't have _hundreds_ of packages each to > maintain, and maybe we could do a better job of stabilizing them and > supporting them. Anyway, it's a concept, not a proposal to unite the two > repositories tomorrow. There is more to it than that. Updates is a little... touchy. More contributors is not going to help. I can't share the specifics of a number of vulnerabilities I work on prior to them going public, so I would still have to do the work myself. I can't delegate non-public vulns/patches/fixes to folks. That would a really quick way of getting Mandrake removed from the "loop" and destroy relationships with other vendors and organizations that I've established over the years. For that reason alone, updates cannot be done by folks who are not MandrakeSoft employees (security updates, that is... bugfix updates are not as sensitive). I refuse to put is in a position where we play catchup with other vendors because that does a great disservice to our users. And for that reason alone, community involvement in updates is not enough. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
