Renat Lumpau <[EMAIL PROTECTED]> writes: > On Wed, Jan 11, 2006 at 04:59:56PM +0100, [EMAIL PROTECTED] wrote: >> The current proposition is specified here: >> >> http://svn.gnqs.org/projects/gentoo-webapps-overlay/wiki/UpstreamRequirements >> >> In my discussion with Stuart this morning I did realize that there are >> not too many packages available that would actually meet these >> criteria. So far we probably have around five in the portage tree. > > I'm still not 100% clear on rationale for requirements as outlined there. > As Gunnar pointed out, very few packages in Portage currently satisfy those. > Perhaps it would make sense for us to start by outlining the goals of our > upstream requirements (e.g., reliable contact in case of security bugs) and > then > decide how to best achieve them?
Concerning the goals I have a question: How much of a problem do we currently really have concerning man power in web-apps? If I look at bugzilla, web-apps seems to be in pretty good shape or am I mistaken there? What is hard for me to judge is what kind of impact the security problems had during the last year. What were the main problems for the web-apps herd? In the end security is always a compromise between quality, ease of use and the actual man power available. I admit that I'm usually in favor of usability as long as that is something we can provide with a good conscience. > >> The main blocker are the security requirements since many projects do >> not provide special security contacts or mailing lists devoted >> security. For some projects this probably implies that they actually >> don't care too much about security. > > This also makes it difficult for us to ship packages that are maintained by a > one-man team. While there's something to be said about the maturity and > reliability of such packages, we shouldn't automatically disqualify them. > >> I also had the impression that one of the packages that has been a >> mojor problem last year (phpBB) actually nearly fulfills the current >> requirement proposals (at least to a greater extend than many of the >> smaller packages) but nonetheless has caused quite an amount of grief. >> Having bugs tracker, announcement lists and security mails might not >> always cover up for direct experience with the project itself. > > Excellent point. > >> So I would suggest that we enforce the current proposal in the all >> cases where we do not have a developer in our herd actively using the >> package. I think that any dev's of our herd that actively uses a >> package is probably a better source of information about the security >> of the package than the mailing lists of the project. At least as long >> as I assume that we care a lot more about the security of our servers >> than the average user. But I believe that's a safe bet. > > I don't actively use most of the packages I have been maintaining > (bugzilla, otrs, joomla etc). This means that we'd still have to drop a large > number of ebuilds. Perhaps that's not such a bad thing though. > > I've been toying with the idea of limiting Portage to a key set of web-apps > that > are broken down into several categories such as CMS, wiki engines, fora, etc. > Personally, I don't think we need to ship every wiki package out there. Of > course, we'd need to tread carefully to avoid the appearance of limiting > end-user choice, which is where our overlay comes in. Any thoughts > on this? Depends pretty much on whether we decide to clean the tree and move packages out. Once we get an estimate on what amount of package we want to support for the main portage tree we could decide how to distribute that to different categories. -- Gunnar Wrobel Gentoo Developer __________________C_o_n_t_a_c_t__________________ Mail: [EMAIL PROTECTED] WWW: http://www.gunnarwrobel.de IRC: #gentoo-web at freenode.org _________________________________________________
pgp8JfzIbxe7E.pgp
Description: PGP signature
