Re: [oi-dev] Discussing maintainers visibility in oi-userland

2017-05-15 Thread n 
I know this sounds ridiculous, from a security researcher who has had 
every version of dropstat and dropttdb.c for the entirety of archs and 
os's running them:


CDE is back and re-released with a (better but likely still broken 
codebase).


Grab the source maybe if you can afford to just firewall all RPC and X, 
etc...


I always liked the exploit lurid found in sadmind, not one of the silly 
overflows, but the AUTH_UNIX bug.  I counted several overflow exploits 
during the time that was private.


n...@mod.net



On 2017-05-12 01:10 AM, Till Wegmüller wrote:

If we talk bigger components like XFCE i would say that this is pretty
much how we are handeling them right now. We only take in these when
we know that a Contributor is able to support them over a period of
time. Otherwise we leave try to put stuff like this into SFE or pkgsrc
where there are people (and buildservers) providing packages for many
things.
I would say that this seems the way to go with the bigger Components.


---
Greetings
Till

On 12.05.2017 09:27, Dariusz Sendkowski wrote:

In my opinion, the current system looks fine.
Having a maintainer per component could be a nightmare for both 
maintainers and contributors. Maintainers are usually bottlenecks for 
various reasons no matter how hard they try not to be.
It could slow down the whole process significantly. Right now, it 
seems to run pretty flawlessly.


But how does it work for big and complex components (like desktop 
environments)? Should they be rejected due to the lack of the 
contributor's maintenance guarantee?
When I look at the contributors' list I see that people appear and 
disappear and that's a natural process.
This implies that nobody can guarantee that they will maintain 
components they add (I mean the bigger ones).




2017-05-12 6:22 GMT+02:00 Alexander Pyhalov >:


On 11.05.2017 22:13, Peter Tribble wrote:

On Thu, May 11, 2017 at 6:56 PM, Aurélien Larcher <
aurelien.larc...@gmail.com 
>

wrote:


The question raised is whether we should formalize a
maintaining process
for some important components or groups of components.

At some point I joked about a campaign going like "Adopt a
package".


There are downsides to having a formal owner: they can become 
a
bottleneck, and it might discourage others to contribute in an 
area

where there's an individual (or individuals) listed. Also,
people may be
reluctant to contribute if there's a prospect of being 
lumbered with

the responsibility going forward.

But, if you can avoid that, then there are benefits to having
what we
would call "Subject Matter Experts" for components or groups. 
Having
someone who is reasonably familiar with the component, 
preferably
someone who uses it, is useful as a source of help and advice, 
and

having a list of such people and their specialities would be
useful to
other contributors.

Putting such a list on display would also show that OI wasn't 
just a

one or two person effort, which would be good.


Yes, this idea seems reasonable. BTW, recently github started
suggesting reviewers
and it does it rather well.
---
System Administrator of Southern Federal University Computer 
Center




___
oi-dev mailing list
oi-dev@openindiana.org 
https://openindiana.org/mailman/listinfo/oi-dev





___
oi-dev mailing list
oi-dev@openindiana.org
https://openindiana.org/mailman/listinfo/oi-dev



___
oi-dev mailing list
oi-dev@openindiana.org
https://openindiana.org/mailman/listinfo/oi-dev



___
oi-dev mailing list
oi-dev@openindiana.org
https://openindiana.org/mailman/listinfo/oi-dev

Re: [oi-dev] Discussing maintainers visibility in oi-userland

2017-05-12 Thread Till Wegmüller 
If we talk bigger components like XFCE i would say that this is pretty 
much how we are handeling them right now. We only take in these when we 
know that a Contributor is able to support them over a period of time. 
Otherwise we leave try to put stuff like this into SFE or pkgsrc where 
there are people (and buildservers) providing packages for many things.

I would say that this seems the way to go with the bigger Components.


---
Greetings
Till

On 12.05.2017 09:27, Dariusz Sendkowski wrote:

In my opinion, the current system looks fine.
Having a maintainer per component could be a nightmare for both 
maintainers and contributors. Maintainers are usually bottlenecks for 
various reasons no matter how hard they try not to be.
It could slow down the whole process significantly. Right now, it seems 
to run pretty flawlessly.


But how does it work for big and complex components (like desktop 
environments)? Should they be rejected due to the lack of the 
contributor's maintenance guarantee?
When I look at the contributors' list I see that people appear and 
disappear and that's a natural process.
This implies that nobody can guarantee that they will maintain 
components they add (I mean the bigger ones).




2017-05-12 6:22 GMT+02:00 Alexander Pyhalov >:


On 11.05.2017 22:13, Peter Tribble wrote:

On Thu, May 11, 2017 at 6:56 PM, Aurélien Larcher <
aurelien.larc...@gmail.com >
wrote:


The question raised is whether we should formalize a
maintaining process
for some important components or groups of components.

At some point I joked about a campaign going like "Adopt a
package".


There are downsides to having a formal owner: they can become a
bottleneck, and it might discourage others to contribute in an area
where there's an individual (or individuals) listed. Also,
people may be
reluctant to contribute if there's a prospect of being lumbered with
the responsibility going forward.

But, if you can avoid that, then there are benefits to having
what we
would call "Subject Matter Experts" for components or groups. Having
someone who is reasonably familiar with the component, preferably
someone who uses it, is useful as a source of help and advice, and
having a list of such people and their specialities would be
useful to
other contributors.

Putting such a list on display would also show that OI wasn't just a
one or two person effort, which would be good.


Yes, this idea seems reasonable. BTW, recently github started
suggesting reviewers
and it does it rather well.
---
System Administrator of Southern Federal University Computer Center



___
oi-dev mailing list
oi-dev@openindiana.org 
https://openindiana.org/mailman/listinfo/oi-dev





___
oi-dev mailing list
oi-dev@openindiana.org
https://openindiana.org/mailman/listinfo/oi-dev



___
oi-dev mailing list
oi-dev@openindiana.org
https://openindiana.org/mailman/listinfo/oi-dev

Re: [oi-dev] Discussing maintainers visibility in oi-userland

2017-05-12 Thread Dariusz Sendkowski 
In my opinion, the current system looks fine.
Having a maintainer per component could be a nightmare for both maintainers
and contributors. Maintainers are usually bottlenecks for various reasons
no matter how hard they try not to be.
It could slow down the whole process significantly. Right now, it seems to
run pretty flawlessly.

But how does it work for big and complex components (like desktop
environments)? Should they be rejected due to the lack of the contributor's
maintenance guarantee?
When I look at the contributors' list I see that people appear and
disappear and that's a natural process.
This implies that nobody can guarantee that they will maintain components
they add (I mean the bigger ones).



2017-05-12 6:22 GMT+02:00 Alexander Pyhalov :

> On 11.05.2017 22:13, Peter Tribble wrote:
>
>> On Thu, May 11, 2017 at 6:56 PM, Aurélien Larcher <
>> aurelien.larc...@gmail.com> wrote:
>>
>>
>>> The question raised is whether we should formalize a maintaining process
>>> for some important components or groups of components.
>>>
>>> At some point I joked about a campaign going like "Adopt a package".
>>>
>>>
>> There are downsides to having a formal owner: they can become a
>> bottleneck, and it might discourage others to contribute in an area
>> where there's an individual (or individuals) listed. Also, people may be
>> reluctant to contribute if there's a prospect of being lumbered with
>> the responsibility going forward.
>>
>> But, if you can avoid that, then there are benefits to having what we
>> would call "Subject Matter Experts" for components or groups. Having
>> someone who is reasonably familiar with the component, preferably
>> someone who uses it, is useful as a source of help and advice, and
>> having a list of such people and their specialities would be useful to
>> other contributors.
>>
>> Putting such a list on display would also show that OI wasn't just a
>> one or two person effort, which would be good.
>>
>
> Yes, this idea seems reasonable. BTW, recently github started suggesting
> reviewers
> and it does it rather well.
> ---
> System Administrator of Southern Federal University Computer Center
>
>
>
> ___
> oi-dev mailing list
> oi-dev@openindiana.org
> https://openindiana.org/mailman/listinfo/oi-dev
>
___
oi-dev mailing list
oi-dev@openindiana.org
https://openindiana.org/mailman/listinfo/oi-dev

Re: [oi-dev] Discussing maintainers visibility in oi-userland

2017-05-11 Thread Alexander Pyhalov 

On 11.05.2017 22:13, Peter Tribble wrote:

On Thu, May 11, 2017 at 6:56 PM, Aurélien Larcher <
aurelien.larc...@gmail.com> wrote:



The question raised is whether we should formalize a maintaining 
process

for some important components or groups of components.

At some point I joked about a campaign going like "Adopt a package".



There are downsides to having a formal owner: they can become a
bottleneck, and it might discourage others to contribute in an area
where there's an individual (or individuals) listed. Also, people may 
be

reluctant to contribute if there's a prospect of being lumbered with
the responsibility going forward.

But, if you can avoid that, then there are benefits to having what we
would call "Subject Matter Experts" for components or groups. Having
someone who is reasonably familiar with the component, preferably
someone who uses it, is useful as a source of help and advice, and
having a list of such people and their specialities would be useful to
other contributors.

Putting such a list on display would also show that OI wasn't just a
one or two person effort, which would be good.


Yes, this idea seems reasonable. BTW, recently github started suggesting 
reviewers

and it does it rather well.
---
System Administrator of Southern Federal University Computer Center


___
oi-dev mailing list
oi-dev@openindiana.org
https://openindiana.org/mailman/listinfo/oi-dev

Re: [oi-dev] Discussing maintainers visibility in oi-userland

2017-05-11 Thread Aurélien Larcher 


À Jeudi 11 mai 2017, Adam Števko a écrit :
> Hello,
> 
> I would like to keep the status quo in this. We don’t have formal maintainers 
> and basically every change to the package/component is reviewed by relevant 
> person (me/alp/aurelien//jimklimov/wacki/agnar). I would really like to see 
> this list to grow and reach the phase that we need to start think about 
> maintainers, but we are not yet there. The situation right now is that even 
> if a person reviews the change and think that other person should have a 
> look, e.g. me when I am reviewing some libs that might affect GUI i ask alp 
> for crossreview or when alp touches X11 things, he ask aurelien etc.
> 
> I would avoid creating a dedicated maintainers for now. If people really 
> think it should be done, I would say it should be done on a technology 
> stacks, e.g. Python, Ruby, webservers, X11, databases etc. In such cases 
> every change would need to be approved by a relevant person. However, I think 
> that might introduce latency and bureaucracy, which is really non-existent 
> right now. I would like to keep it that way if possible.

Maybe maintainer was a bad word, probably, as Peter suggested, it is more about 
having reference persons per group, so that questions could be directed. I do 
not know.
I am happy about the current system.
The question occured because I wondered whether people exterior to our group 
may find the apparent lack of formal organization confusing.
If it is the case, is there anything to do about it?

Darek's question shows that something could be mentioned about lack of 
ownership of components and review of PRs.
Just to formalize the informal nature of the process. ;) 

> 
> Cheers,
> Adam
> 
> > On May 11, 2017, at 9:13 PM, Peter Tribble  wrote:
> > 
> > On Thu, May 11, 2017 at 6:56 PM, Aurélien Larcher 
> > > wrote:
> > 
> > The question raised is whether we should formalize a maintaining process 
> > for some important components or groups of components.
> > 
> > At some point I joked about a campaign going like "Adopt a package".
> > 
> > There are downsides to having a formal owner: they can become a
> > bottleneck, and it might discourage others to contribute in an area
> > where there's an individual (or individuals) listed. Also, people may be
> > reluctant to contribute if there's a prospect of being lumbered with
> > the responsibility going forward.
> > 
> > But, if you can avoid that, then there are benefits to having what we
> > would call "Subject Matter Experts" for components or groups. Having
> > someone who is reasonably familiar with the component, preferably
> > someone who uses it, is useful as a source of help and advice, and
> > having a list of such people and their specialities would be useful to
> > other contributors.
> > 
> > Putting such a list on display would also show that OI wasn't just a
> > one or two person effort, which would be good.
> > 
> > --
> > -Peter Tribble
> > http://www.petertribble.co.uk/  - 
> > http://ptribble.blogspot.com/ 
> > ___
> > oi-dev mailing list
> > oi-dev@openindiana.org
> > https://openindiana.org/mailman/listinfo/oi-dev
> 
>

-- 
Thanks for sailing Jolla :)
___
oi-dev mailing list
oi-dev@openindiana.org
https://openindiana.org/mailman/listinfo/oi-dev

Re: [oi-dev] Discussing maintainers visibility in oi-userland

2017-05-11 Thread Adam Števko 
Hello,

I would like to keep the status quo in this. We don’t have formal maintainers 
and basically every change to the package/component is reviewed by relevant 
person (me/alp/aurelien//jimklimov/wacki/agnar). I would really like to see 
this list to grow and reach the phase that we need to start think about 
maintainers, but we are not yet there. The situation right now is that even if 
a person reviews the change and think that other person should have a look, 
e.g. me when I am reviewing some libs that might affect GUI i ask alp for 
crossreview or when alp touches X11 things, he ask aurelien etc.

I would avoid creating a dedicated maintainers for now. If people really think 
it should be done, I would say it should be done on a technology stacks, e.g. 
Python, Ruby, webservers, X11, databases etc. In such cases every change would 
need to be approved by a relevant person. However, I think that might introduce 
latency and bureaucracy, which is really non-existent right now. I would like 
to keep it that way if possible.

Cheers,
Adam

> On May 11, 2017, at 9:13 PM, Peter Tribble  wrote:
> 
> On Thu, May 11, 2017 at 6:56 PM, Aurélien Larcher  > wrote:
> 
> The question raised is whether we should formalize a maintaining process for 
> some important components or groups of components.
> 
> At some point I joked about a campaign going like "Adopt a package".
> 
> There are downsides to having a formal owner: they can become a
> bottleneck, and it might discourage others to contribute in an area
> where there's an individual (or individuals) listed. Also, people may be
> reluctant to contribute if there's a prospect of being lumbered with
> the responsibility going forward.
> 
> But, if you can avoid that, then there are benefits to having what we
> would call "Subject Matter Experts" for components or groups. Having
> someone who is reasonably familiar with the component, preferably
> someone who uses it, is useful as a source of help and advice, and
> having a list of such people and their specialities would be useful to
> other contributors.
> 
> Putting such a list on display would also show that OI wasn't just a
> one or two person effort, which would be good.
> 
> --
> -Peter Tribble
> http://www.petertribble.co.uk/  - 
> http://ptribble.blogspot.com/ 
> ___
> oi-dev mailing list
> oi-dev@openindiana.org
> https://openindiana.org/mailman/listinfo/oi-dev



signature.asc
Description: Message signed with OpenPGP
___
oi-dev mailing list
oi-dev@openindiana.org
https://openindiana.org/mailman/listinfo/oi-dev

Re: [oi-dev] Discussing maintainers visibility in oi-userland

2017-05-11 Thread Peter Tribble 
On Thu, May 11, 2017 at 6:56 PM, Aurélien Larcher <
aurelien.larc...@gmail.com> wrote:

>
> The question raised is whether we should formalize a maintaining process
> for some important components or groups of components.
>
> At some point I joked about a campaign going like "Adopt a package".
>

There are downsides to having a formal owner: they can become a
bottleneck, and it might discourage others to contribute in an area
where there's an individual (or individuals) listed. Also, people may be
reluctant to contribute if there's a prospect of being lumbered with
the responsibility going forward.

But, if you can avoid that, then there are benefits to having what we
would call "Subject Matter Experts" for components or groups. Having
someone who is reasonably familiar with the component, preferably
someone who uses it, is useful as a source of help and advice, and
having a list of such people and their specialities would be useful to
other contributors.

Putting such a list on display would also show that OI wasn't just a
one or two person effort, which would be good.

-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
___
oi-dev mailing list
oi-dev@openindiana.org
https://openindiana.org/mailman/listinfo/oi-dev