On Fri, 2006-06-09 at 02:53 +0200, Stefan Schweizer wrote: > Stefan Schweizer wrote: > it is actually encouraged to update bugzilla when changes are made in the > overlay.
Encouraged? If you leave it at that, people will forget, and things will get out of sync. At the very least you should supply per-package rss feeds and email subscriptions. Otherwise this will be a downgrade in functionality from the current bugzilla system. (Which I think is perfectly fine as it is.) > The ebuilds have a quality, repoman is required to be run. Also contributors > should be knowing what they are doing - they are submitting an ebuild to > the sunrise overlay, it needs to follow certain standards. And what if they do know what they're doing, and what they're doing is subverting Gentoo systems en masse? You're proposing to hand out commit access to anyone who makes a case on IRC; you have no way to tell that they aren't an attacker. Part of the reason becoming a dev is expensive is that it provides a barrier for attackers (and gives recruiters time to check that the candidate is who they claim to be). By using Gentoo resources for this project you're implying that the ebuilds can be trusted; hordes of users *will* sync with the sunrise overlay, giving an attractive target to attackers. (Or what if they're attacking overlays.gentoo.org itself? This stuff is shell code; some well-meaning person's going to source it at some point.) And similarly, Gentoo's reputation would be immeasurably damaged if an attacker succeeded in sneaking malicious code in. (Don't say you'll review it; can you review every line of a 20K gcc4-compatibility patch? Have you read the Underhanded C Contest?[1]) Ed [1] http://www.brainhz.com/underhanded/ -- gentoo-dev@gentoo.org mailing list
