Re: [gentoo-dev] [soc] Python bindings for Paludis

[antarus]

Mike Kelly wrote:

Alec Warner wrote:
  

The fact that Gentoo can continue with the codebase is irrelevant.  I
think moreso the fact that a particular Package Manager would be the
'Gentoo Package Manager' means in my mind that Gentoo is responsible for
said Package Manager.  If someone were to slip evil code into said Package
Manager and Gentoo released it; that would be bad.

Note that with Portage, Gentoo could pull svn access for any individuals
who commit such code.  Gentoo have no gaurantee of that with an externally
managed Manager as Gentoo has no control over the source repositories.

If, by your comment above, Gentoo should maintain it's own branch of said
package manager to insulate itself from issues such as the security issue
defined above; well I think that may be one way to address the problem
presented by Seemant.



Come on, that's a bogus argument. By that logic, we should be
maintaining our own branches of, say, sys-apps/shadow, since we don't
control the upstream CVS repository. I think something that's installed
in the base system set would also be perceived as something that
Gentoo is responsible for, since we ship it in our stage tarballs, the
basic building blocks of a Gentoo system.
  


Except we aren't the authors of sys-apps/shadow.  sys-apps/shadow is not 
a Gentoo project.


I think there is a difference.  Take the issue with the ubuntu installer 
that left the root password in a
log in /var.  Who was responsible?  Ubuntu.  Why?  Because it's their 
installer, their project.  We don't
endorse things like sys-apps/shadow; we just happen to use it.  If we 
say 'Package X is the official manager',
then to me that implies endorsement.  A package manager is a solid part 
of Gentoo.  Source based package
management is a huge part of what separates us from all other 
distributions,  I think that has some meaning,
if not to you than to many of our users.  If there was such a security 
problem with the official manager, who is
responsible?  Gentoo.  Even if it's not really 'our' project.  Because 
it's our manager.  Not any other distros, but ours.


-Alec
--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Re: EAPI spec (was Re: Re: let's clear things up (was Slacker archs))

[antarus]

Clearly you are more concerned about getting Paludis ready. spb has other
priorities, fair enough, but this is something that seems fairly important
for gentoo as a whole.

In process terms, I can't understand why the team working on it isn't a
pkgcore dev (eg marienz if you can't communicate with ferringb), a portage
dev such as zmedico, yourself from paludis and say antarus from
treecleaners. I'd add in someone like jakub or spanky from bug wranglers
and Gianelloni for the infrastructure. Having it all from one set of devs
(paludis) is like having w3c standards written by one company.


  
While treecleaners really doesn't have anything to do with PMS; I am a 
portage dev.  However I'm not really interested in writing the spec 
itself; I plan on looking at it when it is closer to completion.  I 
don't claim to have the requisite bash or ebuild magic to author this 
document (nor do I really care about certain aspects of PMS).


I'm more concerned about people changing the tree for paludis 
compatability; but in most of the cases I've seen the changes requested 
seemed reasonable to me.


I think the whole deal is blown out of proportion, mostly because many 
people dislike Ciaran, and unfortunately Ciaran dislikes (or distrusts, 
may be a better word) many other people (myself and Brian Harring 
included).  If the aim is to get everyone to work together to make a big 
happy spec; I just don't see it happening (the teams really don't get 
along well when discussing technical issues).  The only potential issue 
is that PMS comes out and the aforementioned 'meddlers' make their 
statements and it is a situation that is beyond reconcilliation.  You've 
basically written a PMS that may never get approved just because we will 
never agree on a standard anyway (due to specific differences in how we 
view a PM working).


In essence, delaying all the confrontation to the end.  Which is cool 
with me; tbh ;)

--
gentoo-dev@gentoo.org mailing list