On Fri, 2006-06-09 at 19:41 +0200, Patrick Lauer wrote: > > This *will* affect *every* ebuild developer. > Maybe you don't realize that taking ebuilds for packages that are _not in > portage_ and providing them in a nice bundle does not affect every developer?
I'm sorry for the language, but I call bullshit. It is painfully obvious by your response that you've never had a library that is an optional dependency (and one we don't --without durng configure, since it isn't in the tree) cause a problem in one of your packages. Allowing libraries means it can cause breakage. Period. > Noone wants to push a new cvs-snapshot of glibc. That so not the point > here. Nobody ever said that you have to push a new glibc to cause mass breakage. > But having a controlled managed overlay with ebuilds that are now spread > all across bugzilla ... that would be a good service to our users. Since when was overlays.gentoo.org supposed to even be a service to our users? As I understand it, the goal was to ease development, not to provide an easy method for half-working ebuilds to make it to our user's machines. > > This means it *CANNOT* be left up to a small group of developers to > > decide without any discussion on the matter. > So now we're a democracy where everything needs to be voted upon? Anything this abhorrently stupid doesn't need a vote. It should be cast out on its complete lack of merit, alone. Also, at no point did I ever ask for a vote. Don't put words in my mouth and I'll try to pretend like I care what you say, OK? > *sigh* > Let's leave that debate for another day ... You brought it up, not I. Feel free to debate it with yourself until you're blue in the face. > > > Yes, now it is easier to check out the ebuilds. More users ==> better > > > testing. > > > > Except that now the developer has to do much more work to get the same > > information, making it even less likely that he'll bother to pick up one > > of these maintainer-wanted bugs. > s/the developer/I/ You're right... I had that wrong. s/the developer/the developers/ After all, there have been quite a number of people agreeing with me. > there are some devs that would prefer this overlay environment. > Please don't push your personal preferences as The Right Way (tm) Ehh. Were you an ebuild developer, your opinion might actually count for something when it comes to an ebuild development discussion. By the way, where's the GWN this week? > > You also completely gloss over the > > ability of a single rogue user to now compromise countless users with a > > single commit. > And an ebuild on bugzilla has more security? Nope. However, I'm also not proposing that ebuilds from bugzilla automatically get pulled in over some magical overlay that is supposed to fix all of the problems Gentoo's ever had with unmaintained packages. > We're just making it easier to use these ebuilds. Also I expect the > maintainers to keep a reasonable quality standard. I'm glad your faith in them is so high. My faith in *any* group this small having the ability to watch over a large number of outside contributors simply isn't there. > > Please come back once you've firmly grounded yourself in > > the reality that we're a pretty popular distribution, and that makes > > this project a prime target for malicious abuse. Perhaps if you were > > responsible for some ebuilds, you've be more cognizant of the > > implications that a bad commit can cause our users. > I am not responsible for ebuilds because I don't trust myself enough :-) That's great. I don't trust you enough, either. ;] > That doesn't stop me from giving out access to my server to anyone who > has a good reason ... like the Gentoo/HURD repository or the Java > overlay. Well, we thank you for your immense self-sacrifice. What this has to do with the topic at hand, I have no idea. > > > That differs from the 20 or so overlays maintained by users how? > > > > Let's see. They aren't on Gentoo infrastructure, which means they don't > > give off any immediate assumption of being "official" or "supported" in > > any way. Hell, go back and look at Peter's response about how he would > > use an overlay such as this only *because* it is on Gentoo > > infrastructure. > > > > So what exactly was your counter-point again? > We have control over sunrise. And hey, if it sucks kill the project with > silver bullets, a stake to the heart and two pounds of garlic. I'm locked and loaded. > Just don't kill an idea before it is even tested ... Why not? What reason is there to stop me from aborting this brain-dead monstrosity before it claims a single user casualty, let alone our reputation? I would have thought that your involvement in "PR" would have you thinking better. A reputation is something that takes years to establish, and seconds to demolish. You, of all people, should know that. > > Having an overlay such as this will tarnish Gentoo's reputation. > No :-) > What reputation are we talking about? The distro that lags in updates > behind others? Yes, we are *so* lagged behind everyone else. Where do you come up with these "facts" anyway? I'd like to visit this mythical land. > Where you see a problem I see potential: More well-tested ebuilds, > recruiting potential developers ... if you don't want that you're an > elitist bastard. ;-) Aww, how sweet. We've started the name calling. I'm sorry, but having a general dumping ground for all of the crap that nobody found useful enough to actually include into Gentoo doesn't sound like the paradise that you're making it out to be. Luckily, I'm finding that I'm not alone in this, and that quite a few developers are backing me on this one. We're not blind to the problems with this project in its implementation, management, and intended goals. Perhaps you should open your eyes and seriously look at what you're pushing as a solution? > > We > > should not be providing *anything* that is only half-supported or > > half-tested. Anything less than being sully supported via the security > > team and QA is a failure on the part of Gentoo. We have enough *crap* > > in the *tree* that is unsupported, which makes us look bad, yet you want > > to insist on supporting a project that affects all of the ebuild > > developers, which you have not mentioned is a group which you are not a > > part of, so can gladly speak of increasing their workload with no > > consequences to yourself, and provides an avenue for low-quality or > > possibly malicious ebuilds to be distributed to our users, all under a > > Gentoo banner? > No :-) > 1) It doesn't increase your workload - these packages are things that > are _not_ in the main tree. I'm sorry, so your answer to this point is to just say that it is wrong with absolutely no data to back it up. Sounds about par for the course from this project's proponents. I've shown many examples where this *could* and *would* adversely affect developer workload for developers in the main tree. You are unable to refute it, so you simply state it isn't true with absolutely no way to substantiate your claims. > No overlap --> no stupid bugs with overwritten ebuilds etc. Hahahahaha! Misdirection at its finest. So tell me, where do I learn this valuable skill of completely avoiding the truth and pretending to be blind to facts. It sure must come in handy. > 2) low-quality? I might mention that I'm hosting some overlays that have > non-gentoo contributors (*gasp!*) Sure. Overlays that are run by Gentoo developers with a specific project in mind, where the project is also the maintainers of the similar packages in the tree, are intimately familiar with the packages, and are also responsible for all the bugs regarding them. Did you have a point, other than to help reiterate what I have said over and over again? You're starting to help my case as much as Jakub. > Why are they hosted on my server? Because the contributors are not (yet) > gentoo devs, but provide good to excellent input to the projects. So now > you tell me that I'm doing wrong in helping Gentoo development? These > people can't contribute to other gentoo-hosted projects, so it is easier > to move the repositories to a more liberal server. No. They're on your server because we had no facility for them to be placed on our infrastructure. They could all easily be moved now and would be well within the parameters for the overlays project. However, project sunshine flies directly in the face of those parameters, and should be killed before it is allowed to harm Gentoo. > That tells me that Gentoo development is fundamentally buggy when we > complain about a lack of manpower and then say "yeah, but not _that_ > kind of manpower" when users try to help. Except nobody says "Hey, I'd like it if users would start adding more stuff to an overlay that isn't maintained by any Gentoo developers so I can get more bugs that don't have anything to do with the official Gentoo repository. That would be swell." Asking for help where help is actually needed is one thing. Creating a project to dump all of the useless shit and try to pass it off as "helping" development is another. > <cynic> > And people wonder why usually things get done secretly and then > presented as a finished product - no wonder, it seems to be the only way > to get _anything_ done. > </cynic> Perhaps because stupid ideas such as this should never see the light of day and would be shot down by anyone sensible enough to look at it on its actual merit versus some hair-brained concept of how important they are and how much this will "help" development? > > I seriously question your motives towards the Gentoo project. > Good. Question them. I'm still doing what I can to help ... doing such silly > things as finding new servers for Infra and writing articles for the GWN. Really? Which servers? Which articles? > If that isn't good enough ... well ... who cares. You invest as much as > I do in your own server for Gentoo usage and I'll not question _your_ > motives. Like the hardware I've donated on multiple occasions? Or the hours and hours I spend working on Gentoo's actual products? How about the hours spent running the Gentoo Store, that actually brings in money for Gentoo? Spending a few dollars doesn't make you anything more than a monetary contributor. It doesn't buy you any respect. It doesn't buy you anything. > Remember that "Gentoo is all about choice" discussion that pops up every > now and then? Yeah, I remember it. I also remember that only idiots continue to tout that party line as some kind of backing for every stupid and hair-brained idea that should never see the light of day. Are you really trying to use that as an argument for why something that can be shown to be a bad idea should be done? How about instead actually answering the issues that have been presented? > If a motivated group of devs wants to try an overlay experiment you > should let them try. Worst case it's a failure and gets punted after two > months. No. The worst case scenario is some gets some malicious code in the overlay and countless Gentoo boxes around the world get owned, Gentoo catches the brunt of the backlash, and the distribution starts losing users left and right and ends up dying out simply because a few selfish developers couldn't be bothered to actually take into account what other developers are telling them and decided to go forward with a stupid idea. Of course, I'm probably an optimist and much worse could probably happen. > > Wow. Another one of those "I can't answer your issue, so I'll just try > > to divert your attention somewhere else" answers. Thanks for absolutely > > nothing but contributing noise. > You know, I've met you at FOSDEM and I know that you don't mean this as an > insult, but it is very easy to misread it as that. > Might I suggest that you don't formulate responses in a way that can > easily be read as a personal attack? Might I suggest you actually answer a damn question instead of using redirection and vague promises as some sort of quasi-argument? > > > > Wouldn't this process be *infinitely* easier if instead of "sunrise" > > > > there was a "pam" overlay with *only* the pam stuff? > > > Ooooh, cool. Now I need about 75 overlays to get things done, and of > > > course there will be no bad interaction between them ;-) > > As opposed to the free for all that is this overlay? > It's easier to manage one big overlay - at least that seems to be the > motivation for doing it. How exactly is it easier to manage a large number of ebuilds versus a small number? > And if we're all mistaken we at least learn a valuable lesson. Yes, that a small group of people shouldn't be allowed to make decisions for the whole and not take into account any of the cons in their ideas, instead plodding forwards as if there were no objections to their ideas. > > > ... and if we control the overlay we can exclude things like system > > > packages easily. > > > > You really do a good job of making attempts to skirt the issues. Do me > > a favor, if you're just going to use vague references and try to avoid > > answering the issues at hand, don't bother wasting everyone's time by > > replying. You're more than welcome to provide some *useful* insight, > > but simply stating that something won't be an issue doesn't make it > > true. > And you are trying your best to make me look like an ass. Please stop > doing that, it makes discussion really hard. Keep to technical issues. Quit averting the issues when they are brought up. > The issue is: This overlay will _not_ contain BreakMyGentoo-style > ebuilds of new versions of things in portage. There won't be a glibc cvs > snapshot. Just ebuilds that for now live in bugzilla and are hard to > find. We wish to provide them in an easy-to-use package to our users. This overlay *will* allow libraries that could inadvertently affect any number of packages in the Gentoo repository. This overlay *will* allow commits from anyone that requests it and has a half-way decent ebuild in bugzilla, without doing any of the trust-building that is normally required for someone to have commit access to a Gentoo resource. This overlay *will* not be monitored by any of the Gentoo security project, yet will be an official repository of ebuilds coming from Gentoo and hosted on Gentoo infrastructure. > You know ... users. Those people that are not devs. Some of us try to > give them the best experience we can, and if there is something like an > overlay that even the more n00bish users can use we should try to > provide it. Huh? You mean the ones that expect us, as developers, to have their best interests in mind and to not allow poor-quality and potentially hazardous ebuilds to hit their machines? The same ones that trust us with the stability of their machines? The same ones that choose Gentoo because we're the best, not because we have some dumping ground of barely-wanted packages? Yeah, those users... > > > And again, one svn repo vs. 113 hard-to-find bugs ... > > Amazing how you pull such numbers out of thin air. > It's a special talent. 47 <-- just for you Ahh, so you're lying. Thanks for pointing that out. It definitely helps. > > Which 113 bugs are you talking about, exactly? > Try to find the relevant files in the three bugs jakub posted. > Now try that for multiple packages ... Most users won't need to harvest > 113 bugs, but I'd prefer a "svn up". It's just so much saner and less > work that it is hard for me to see how bugzilla even makes sense. So you don't have a list of 113 bugs, but instead go on to speak of your preference to svn up. Now, I'm going to make this plain and simple. This is you avoiding the question that was presented to you. > > Isn't that what the process of becoming a developer is supposed to > > build? > That process that many people consider too complicated and > time-consuming? Yes. That *exact* process that weeds out the people that honestly want to be a part of Gentoo and those that casually want to contribute. > Not everyone wants to spend 20h a week on Gentoo. Some people just want > to maintain their personal app for Gentoo. In some cases we already have > proxy-maintainers, so I don't see why we should not try to find more > motivated smart users to help. Great. Why do they need an overlay to do their job? The funny thing is that nobody has answered this question. All that anyone has done is given some vague references or promises about how it'll be "better" having an overlay with nothing to back it up. However, I've been able to show quite a few ways in which this overlay will hurt Gentoo. There have also been comments from other developers, and users, that have been all but ignored. I guess it is hard to respond to something when you have no way to refute it, but I digress. > > Also, just because I trust one person, doesn't mean I trust > > someone that you trust. Trust is not implicit, it is earned. > That's why most Gentoo devs can have an account on my server. Except > those that have told me directly that they don't like me :-) Again, you decide to point out something that is only somewhat related and try to use it as a proving point for your position, when it really bares no real relevance. What exactly does trusting developers, which have been members of the community for some time and have proven themselves, have to do with trusting a random set of users? > > Some > > random user having complete access to an area where only people that *I* > > trust should really have access is not instilling faith in me of this > > project. However, instead of answering these concerns, you simply brush > > them aside as a non-issue, though I am not the only developer that has > > spoken out on this *exact* same issue. > The difference between a random user and a dev often is not much more > than an @gentoo.org email adress. I don't consider all users > untrustworthy - if they show that they wish to help we should not > sabotage them. Maybe you don't remember the time when you were "just" a > user? I don't consider all users untrustworthy. Never once have I said that. This is another attempt to try to put words into my mouth so that you can hit home your own ideas, which aren't even relevant, since I didn't *say* what you're responding to. Remember what I said, and that you agreed to. Trust is earned. > If someone wanted to exploit boxen he'd use a much simpler attack > vector ... our rsync mirrors are wide open. No need to secure the little > window over there when the front door is open ... Really? I'd like you to give me root on rsync.gentoo.org, then. What's that? You can't? What a wonder! > Instead of trying to kill this idea you should try to get it modified > into something we all can agree on. I tried that. I ended up receiving vague references about how the current plan will make things "better" and how nothing needs to change. Either that or the issues were simply ignored. That to me says that the team involved isn't interested in compromise. That only leaves one course of action for me, and that is to work to kill the project. -- Chris Gianelloni Release Engineering - Strategic Lead x86 Architecture Team Games - Developer Gentoo Linux
signature.asc
Description: This is a digitally signed message part
