On Tue, 2004-01-06 at 10:18, Robert Cole wrote: > On Tue January 06 2004 1:54 am, Kurt Lieber wrote: > > On Tue, Jan 06, 2004 at 12:39:29AM -0800 or thereabouts, Robert Cole wrote: > > > I like it. That's a very good process. I'm talking about ebuilds here. > > > I'll be honest and say I don't know how the backend of the portage tree > > > works with security and all but maybe another tier would be in order if > > > possible. Like a low access new ebuild access that gets queued and not > > > actually put in the tree and someone with access could simply flag it to > > > move into the tree or reject it sending an email back to the creator of > > > the ebuild why. > > > > You've just described bugs.gentoo.org. > > How easy is it for a person with access to approve an ebuild? Do they just > click a button and it moves out of the "queue" and into the tree? If the > person with access has to do allot then no wonder packages sit for a year.
Well, NOTHING would get added without testing, so there's no need for any form of "button" to "approve" anything. > > Granted, plenty of ebuilds sit in there and never make it into the tree. > > This is not the fault of bugzilla, however. It is more a problem with our > > process. Ebuilds make it into the tree when a developer cares about them. > > If no developer cares about them, they tend not to make it into the tree. > > For right or wrong, that's how things work today. > > It appears you and Chris both missed the fact I'm not talking about someone > not available to maintain. I'm talking about someone that is willing to and > WANTS to maintain the package. Someone who is NOT a developer, and therefore not held liable. If I add a package to the portage tree, I HAVE to maintina it. That is the current Gentoo policy, and I think a VERY good policy for keeping poor-quality ebuilds out of the tree. > It sounds like you need a better buffer between new devs and cvs. Like a said > something queue like that the cvs dev can just click to approve and it all > happens automagically. The truth is, I would like to see FEWER packages added, as it seems the quality of some packages is deteriorating, while others are getting MUCH better. Gentoo is working to provide excellent quality control. We do not wish to EVER force the user community to do our QC for us, which is why most of your ideas simply won't work. Pushing the testing phase onto the users is a horrible idea, as it makes it EXTREMELY easy for a user to end up with a very broken system. We try to provide only working packages and not things which are of poor quality, as it reflects on us, as developers. > > I believe Jon was talking more about the security side of the house. Each > > developer we give CVS access to is one more developer that can commit a > > trojaned ebuild or do something else nasty. Thus, we try to be somewhat > > careful about handing the keys to the kingdom over to new folks. > > Don't you think it would ease the minds of many if there was a wait to have > limited access to a cvs queue instead of the real thing? A place where a cvs > dev can look at a list of packages and click either approve or not and the > approved ones move at that point? Is that really the way bugs.gentoo.org > works now? It's somewhat close, at least in many areas. There have been a few times where a user has submitted an ebuild for something which I have added to the tree. The ebuild is maintained by me, however, and I am the one responsible when something goes wrong. This way, I don't add anything to the tree that I would not feel comfortable running and maintaining myself. This provides a nice level of quality, which so far has worked quite well for Gentoo. It takes only a couple minutes and a very few steps to add an ebuild to the tree. The longest time is spent making sure the ebuild is correct and that the package works as expected once it is merged. > In my day job I'm a network and security engineer so I know the headaches of > having too many people with full access to a switch, router, server or > anything else. The fewer with that sort of access the better. If you had one > dev for every package in the tree and they all had cvs access how much of a > problem would that be? GIANT! That would just be a mess. A horrible mess but > it sounds like that's what gentoo is heading for if all devs go through the > process and prove themselves you could end up with that mess and the > possibility of someone fatfingering something and hosing things up. How is Gentoo heading for one dev per package? I don't understand this. The games herd has only a few members, yet we maintain over 400 ebuilds. We each proved ourselves to get brought on board as developers and we each do our part to keep gaming on Gentoo going well. Not to mention that if a developer consistently falls on his duties, he will have his status revoked. As for fatfingering things, we've all done that before. Forcing a few developers to wade through hundreds of ebuild submissions isn't going to really help that. Instead, the developers will get lazy and become quite lenient on what they let through. After all, these are normal people with normal lives. We all volunteer our time to Gentoo and there are many times when a person becomes lazy or unenthused. The truth is that no matter what we do, it won't be enough. There are just too many users in compared to the number of developers and there are always going to be new things the community wants added to Gentoo which will take developer time and energy to implement. We can only do so much in our limited time. > I'll look at cvs closer because I have a hard time believing that something > that's been around so long and so mature has only an all or nothing security > setup. Well, cvs does allow a for more fine-grained controls over the tree, however Gentoo has decided to not use these and rather to rely on trust to keep things in order. This way a developer is not prohibited from contributing in an area for which he is not an "official" part. For example, if we were to implement strong access controls, I would be allowed to access the games-* parts of the tree. However, I also maintain a few packages under net-misc. If I were to add a new package, I would have to request access for that area, which is a serious bottleneck when you're looking at hundreds of developers each needing access to different areas. The way Gentoo looks at it is simply that if we can't trust you with the whole tree, why should we trust you with any of it? -- Chris Gianelloni Developer, Gentoo Linux Games Team Is your power animal a pengiun?
signature.asc
Description: This is a digitally signed message part
