> On Mon, 5 May 2008, James Carlson wrote: > > > Alan DuBoff writes: > >> I am giving my committment to the Alpine package, > which I just compiled > >> and am sending this message with. > > > > Paul Jakma had PSARC 2007/609 approved for Alpine. > I don't know the > current status of it, though. > Jim, > > I'm changing my package from Alpine to Exim. I also > run Exim on Solaris as > my MTA, to make it more interesting I actually run it > on sparc. I will > look to see if there's a case for Exim, but I would > be surprised for Sun > to include Exim and would suspect Postfix before it. > > I'm going to be creating an Exim package for the > community, for both x86 > and sparc. > > Now, I'd like your opinion on this, and I hope I > don't get blasted for > this, but I'll toss it out there anyway. > > I believe it is inevitable for the community to have > a seperate > repository, aside from one that Sun would host. We > need a place that > doesn't have any ARC, opensourcereviews, or any other > association to Sun's > process. As we form and create packages, it seems to > me that Sun could be > a user of community packages, just like anyone else. > This would allow the > Belinix's, Shillix's, Blastwave's, or anyone else to > use these packages > without having any type of entry to provide a > package. > > At the Summit the concern came up if someone created > a package that was > called child-porn, for instance, that there could be > liability and that we > just can't let anyone add a package. I would like to > see people allowed to > do that, not that the package could stay or would be > valid, my point was > that anyone in the community should be able to create > any package they > want, and maybe this is a bad example using porn as > the case in point. > > More what I would like to see is just a seperated > repository from Sun, one > without any process at all, the rules and/or how a > package is accepted can > be determined. > > I fully support Sun's current system, and I would > think in the future I > might be able to integrate more software, but I've > just started to learn > the process. However, I'm ok with keeping whatever > Sun has in place and/or > continuing to uphold such for Sun's distribution, but > I would like to see > a separation of the community repository if possible, > maybe hosted on > genunix.org if Al Hopper is ok with that. > > Can you offer some insight? Am I way off base here? > Should I push for Sun > to host the repository? We've already seen a couple > things that are in > conflict between the community and Sun (i.e., the > OpenSolaris name itself > as a case in point). I figure that even if Sun does > create a repository > for such packages, we should have a community > repository that has no > strings attached. Sun folks can take those and > integrate them into > whatever distro they like, the community would > essentially prepare them > for Sun so they could take them and use/qualify them, > and I see myself > involved in that aspect, possibly, but as a community > member I'd like to > build and create packages for OpenSolaris myself as > others do/will. [...]
As a consumer of packages, I would want full disclosure of whatever the repository's rules for admission were, including testing standards, use of existing libs (vs providing most of their own dependencies so that the package works across a range of Solaris versions, like blastwave tends to do), etc. And in most cases, I'd want the binaries to get a clean bill of health from appcert, so that I wouldn't have to worry about them being broken by some future OS upgrade, given that there's no paid support and thus no way to really have a commitment of support. Oh, and I'd want to know to what degree they were watching for CERTs and the like and actively updating for at least that reason as needed. That's the _minimum_ I'd want to know about what to expect of something retrieved from a repository; I'd probably want to know more on a case-by-case basis. Whether it's a vendor or a community site, I want to know if I can trust the software to do what one might reasonably expect that particular FOSS to do, and to continue to do so after an OS upgrade. "This worked for me, if it works for you too, that's cool" is too weak, IMO; it depends totally on both the skill and integrity of the packager, with no checks and balances whatsoever. But whatever the repository standards (or lack thereof), full disclosure is critical; and the less detailed their standards and processes, IMO the more important their build recipes and procedures are available, so that anyone can replicate them to do their own troubleshooting or maintenance. This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list [email protected]
