On Tue January 06 2004 1:54 am, Kurt Lieber wrote: > On Tue, Jan 06, 2004 at 12:39:29AM -0800 or thereabouts, Robert Cole wrote: > > I like it. That's a very good process. I'm talking about ebuilds here. > > I'll be honest and say I don't know how the backend of the portage tree > > works with security and all but maybe another tier would be in order if > > possible. Like a low access new ebuild access that gets queued and not > > actually put in the tree and someone with access could simply flag it to > > move into the tree or reject it sending an email back to the creator of > > the ebuild why. > > You've just described bugs.gentoo.org.
How easy is it for a person with access to approve an ebuild? Do they just click a button and it moves out of the "queue" and into the tree? If the person with access has to do allot then no wonder packages sit for a year. > Granted, plenty of ebuilds sit in there and never make it into the tree. > This is not the fault of bugzilla, however. It is more a problem with our > process. Ebuilds make it into the tree when a developer cares about them. > If no developer cares about them, they tend not to make it into the tree. > For right or wrong, that's how things work today. It appears you and Chris both missed the fact I'm not talking about someone not available to maintain. I'm talking about someone that is willing to and WANTS to maintain the package. It sounds like you need a better buffer between new devs and cvs. Like a said something queue like that the cvs dev can just click to approve and it all happens automagically. > I believe Jon was talking more about the security side of the house. Each > developer we give CVS access to is one more developer that can commit a > trojaned ebuild or do something else nasty. Thus, we try to be somewhat > careful about handing the keys to the kingdom over to new folks. Don't you think it would ease the minds of many if there was a wait to have limited access to a cvs queue instead of the real thing? A place where a cvs dev can look at a list of packages and click either approve or not and the approved ones move at that point? Is that really the way bugs.gentoo.org works now? In my day job I'm a network and security engineer so I know the headaches of having too many people with full access to a switch, router, server or anything else. The fewer with that sort of access the better. If you had one dev for every package in the tree and they all had cvs access how much of a problem would that be? GIANT! That would just be a mess. A horrible mess but it sounds like that's what gentoo is heading for if all devs go through the process and prove themselves you could end up with that mess and the possibility of someone fatfingering something and hosing things up. I'll look at cvs closer because I have a hard time believing that something that's been around so long and so mature has only an all or nothing security setup. Robert -- [EMAIL PROTECTED] mailing list
