[gentoo-dev] The meaning of attributes in repositories.xml?

[gentoo-dev] The meaning of attributes in repositories.xml?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1364 bytes --]

Hello,

I've looked at our repositories.xml and the quality/status attributes
don't seem to be used very meaningfully.

That is, by quality:

core: gentoo [official]
stable: opentransactions (?) [official (?!)]
testing: hyprland-overlay, moexiami [both unofficial]
experimental: everything else
graveyard: unused

By status:

official: ago, alexxy, anarchy, andrey_utkin, cj-overlay, dilfridge,
emacs, EmilienMottet, fordfrog, gentoo, gnome, gnustep, graaff, guru,
haskell, java, jmbsvicetto, kde, libressl, maekke, masterlay, mschiff,
multilib-portage, musl, mysql, opentransactions, pentoo, pinkbyte,
qemu-init, qt, R_Overlay, rich0, riscv, rnp, ruby, science, sping,
swegener, tex-overlay, toolchain, ukui, ulm, vGist, voyageur, x11

unofficial: everything else


Which brings the significant question: are these attributes in any way
meaningful?  Is there a point in keeping them at all?  Should we set
some ground rules and make them used consistently?

Of them all, only "core" makes sense right now.  "stable" and "testing"
are used only by random user overlays, with no apparent features. 
Similarly, "official" is used by a mix of developer and ex-developer
repositories, developer and user project repositories, and a bunch of
user repositories with no clearly distinct features.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 512 bytes --]

[gentoo-dev] Re: The meaning of attributes in repositories.xml?

[Anna Vyalkova]

On 2025-03-28, Michał Górny wrote:
> Hello,
> 
> I've looked at our repositories.xml and the quality/status attributes
> don't seem to be used very meaningfully.
> 
> That is, by quality:
> 
> core: gentoo [official]
> stable: opentransactions (?) [official (?!)]
> testing: hyprland-overlay, moexiami [both unofficial]
> experimental: everything else
> graveyard: unused

No idea why it's named quality. "stable", "testing" and "experimental" 
are only used in profiles. Packages also can have stable and testing 
arch keywords.

Looks like reused terminology without any clear and unambiguous meaning 
of each term.

> By status:
> 
> official: ago, alexxy, anarchy, andrey_utkin, cj-overlay, dilfridge,
> emacs, EmilienMottet, fordfrog, gentoo, gnome, gnustep, graaff, guru,
> haskell, java, jmbsvicetto, kde, libressl, maekke, masterlay, mschiff,
> multilib-portage, musl, mysql, opentransactions, pentoo, pinkbyte,
> qemu-init, qt, R_Overlay, rich0, riscv, rnp, ruby, science, sping,
> swegener, tex-overlay, toolchain, ukui, ulm, vGist, voyageur, x11
> 
> unofficial: everything else

This makes sense: official repositories are maintained or managed by 
Gentoo developers, unofficial repositories are maintained by 
non-developers.

Well, should make sense, because "libressl" is also somehow official? It 
used to be maintained by Gentoo, and likely this attribute just wasn't 
updated after Gentoo had discontinued support for LibreSSL.
 
> Which brings the significant question: are these attributes in any way
> meaningful?  Is there a point in keeping them at all?  Should we set
> some ground rules and make them used consistently?

Even if they are meaningful, they are inconsistent and fall out of sync.  
I wouldn't miss them :/

> Of them all, only "core" makes sense right now.  "stable" and "testing"
> are used only by random user overlays, with no apparent features. 
> Similarly, "official" is used by a mix of developer and ex-developer
> repositories, developer and user project repositories, and a bunch of
> user repositories with no clearly distinct features.

[gentoo-dev] Re: The meaning of attributes in repositories.xml?

[Duncan]

Michał Górny posted on Fri, 28 Mar 2025 05:27:40 +0100 as excerpted:

> Hello,
> 
> I've looked at our repositories.xml and the quality/status attributes
> don't seem to be used very meaningfully.
> 
> That is, by quality:
> 
> core: gentoo [official]
> stable: opentransactions (?) [official (?!)]
> testing: hyprland-overlay, moexiami [both unofficial]
> experimental: everything else graveyard: unused
> 
> By status:
> 
> official: ago, alexxy, anarchy, andrey_utkin, cj-overlay, dilfridge,
> emacs, EmilienMottet, fordfrog, gentoo, gnome, gnustep, graaff, guru,
> haskell, java, jmbsvicetto, kde, libressl, maekke, masterlay, mschiff,
> multilib-portage, musl, mysql, opentransactions, pentoo, pinkbyte,
> qemu-init, qt, R_Overlay, rich0, riscv, rnp, ruby, science, sping,
> swegener, tex-overlay, toolchain, ukui, ulm, vGist, voyageur, x11
> 
> unofficial: everything else
> 
> 
> Which brings the significant question: are these attributes in any way
> meaningful?  Is there a point in keeping them at all?  Should we set
> some ground rules and make them used consistently?
> 
> Of them all, only "core" makes sense right now.  "stable" and "testing"
> are used only by random user overlays, with no apparent features.
> Similarly, "official" is used by a mix of developer and ex-developer
> repositories, developer and user project repositories, and a bunch of
> user repositories with no clearly distinct features.

So what you didn't mention but I assume knew, thus making your question 
more one of: "This seems to have changed, do we get stricter again or lose 
the attributes which don't seem to mean anything any more"...

My (user) understanding from "back in the day" when overlays were fairly 
new and I first merged and configured layman (reading its config docs 
where IIRC this came from to do so), keeping in mind that back then 
overlays were a new concept and a major point from the detractors was fear 
that actually providing official overlays management and documentation 
would somehow implicate Gentoo if a user took advantage to distribute 
overt malware:

Status:

* "Official" status meant managed by an official Gentoo project or 
developer (who had gone thru the usual vetting process), thereby implying 
the same security-trust level as the main Gentoo tree.  That is, 
regardless of quality (experimental, testing, etc), the contents should be 
relatively trustworthy at minimum not to include deliberate ebuild/eclass 
level malware.

The implication of "official" was that any deliberate or "they went 
through the vetting process and should have known better" security 
violation (as opposed to quality/QA violation) in any "official" overlay 
would be treated as if it had occurred in the main overlay, and would not 
only trigger ejection of the dev in question but a reexamination of what 
could be done to improve vetting to avoid it happening again in the 
future, as well as possible prosecution as appropriate.

* "Unofficial" status had rather less security-trust and was intended for 
"ordinary users".  Unvetted, "caveat emptor", "here be dragons" and "if it 
breaks you get to keep the pieces".  Security violations would of course 
result in removal of the overlay from the list... after the fact.

The implication was "If it's from an unofficial overlay, be sure you 
either trust the author with effective root on your system or explicitly 
examine the code before running it, because effective root on your system 
is what you're giving them."

...

I thus find it ... "unsettling"... to read that various user overlays have 
apparently been marked "official" with no regard to that original policy.  
While the original distinction may have arguably had alarmist motivations, 
I definitely still find it useful, within a somewhat more limited context, 
and consider "official" status among other factors when I consider adding 
an overlay.

Guru specifically, given its purpose and that I personally have it active 
(but ATM unused), I wonder about having official status.  I only "sort of" 
use one ebuild from there, net-nntp/pan -- "sort of" because I used it as 
a basis for my personal overlay's pan-9999 live-git ebuild, when upstream 
switched autotools -> cmake.  (FWIW I've been "going to" contact and 
coordinate with the primary author and perhaps add the -9999 version to 
guru as well once we do, but that's yet to happen...)  Obviously I did the 
appropriate "unofficial status level" security evaluation in the process 
of converting it to live-git -9999.

Quality:

I /think/ the quality attribute /may/ have been introduced later as IDR 
reading about it in the original layman docs, as I think back then the 
/assumption/ was that "if it's only in an overlay, it's not up to main-
tree quality", thus "experimental" and possibly incomplete/under-
development, below ~arch-level quality.  Either that or perhaps IDR it 
simply because it didn't strike me as important enough to "underline in my 
memory" like the status did (with the experimental assumption then being 
on my part as seeming obvious).

Graveyard would have been the sunset overlay, which I guess has fallen by 
the wayside?  (Of course I'm personally much more toward the live-git side 
than sunset/graveyard, so I'd have never noticed sunset's disappearance.)


FWIW kde's the only overlay I'm currently actively using (for -9999s, sets 
and package.accept_keywords), and it's (correctly) official status, 
experimental quality.  (Tho I only just removed qt days ago, after reading 
that qt*-9999s are officially in-tree now -- kde of course having required 
it at times for the -9999s in the :5 era due to upstream kde's sometime  
dependency on unreleased qt.)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] Re: The meaning of attributes in repositories.xml?

[Ionen Wolkens]

[-- Attachment #1: Type: text/plain, Size: 3065 bytes --]

On Fri, Mar 28, 2025 at 01:15:44PM +0500, Anna Vyalkova wrote:
> On 2025-03-28, Michał Górny wrote:
> > Hello,
> > 
> > I've looked at our repositories.xml and the quality/status attributes
> > don't seem to be used very meaningfully.
> > 
> > That is, by quality:
> > 
> > core: gentoo [official]
> > stable: opentransactions (?) [official (?!)]
> > testing: hyprland-overlay, moexiami [both unofficial]
> > experimental: everything else
> > graveyard: unused
> 
> No idea why it's named quality. "stable", "testing" and "experimental" 
> are only used in profiles. Packages also can have stable and testing 
> arch keywords.
> 
> Looks like reused terminology without any clear and unambiguous meaning 
> of each term.
> 
> > By status:
> > 
> > official: ago, alexxy, anarchy, andrey_utkin, cj-overlay, dilfridge,
> > emacs, EmilienMottet, fordfrog, gentoo, gnome, gnustep, graaff, guru,
> > haskell, java, jmbsvicetto, kde, libressl, maekke, masterlay, mschiff,
> > multilib-portage, musl, mysql, opentransactions, pentoo, pinkbyte,
> > qemu-init, qt, R_Overlay, rich0, riscv, rnp, ruby, science, sping,
> > swegener, tex-overlay, toolchain, ukui, ulm, vGist, voyageur, x11
> > 
> > unofficial: everything else
> 
> This makes sense: official repositories are maintained or managed by 
> Gentoo developers, unofficial repositories are maintained by 
> non-developers.
> 
> Well, should make sense, because "libressl" is also somehow official? It 
> used to be maintained by Gentoo, and likely this attribute just wasn't 
> updated after Gentoo had discontinued support for LibreSSL.

Yes, there's nothing official about it anymore. Claims (that I've
occasionally seen) that gentoo still "officially" supports libressl
through the overlay also shouldn't made. While it allows usage,
it is not Gentoo endorsed.

On that note, guess the term "official" for overlays may not be that
great in general. That sounds fine when associated with an actual
Gentoo project like GURU or KDE, but side-things that developers do
can be quite a mixed bag or just low quality testing stuff, and
calling them official feels a bit iffy (they'd probably be putting
these things in the main tree otherwise).

At best it's just trust indicator (wouldn't use Gentoo if didn't
trust the developers) which could use another word.

>  
> > Which brings the significant question: are these attributes in any way
> > meaningful?  Is there a point in keeping them at all?  Should we set
> > some ground rules and make them used consistently?
> 
> Even if they are meaningful, they are inconsistent and fall out of sync.  
> I wouldn't miss them :/
> 
> > Of them all, only "core" makes sense right now.  "stable" and "testing"
> > are used only by random user overlays, with no apparent features. 
> > Similarly, "official" is used by a mix of developer and ex-developer
> > repositories, developer and user project repositories, and a bunch of
> > user repositories with no clearly distinct features.
> 

-- 
ionen

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] The meaning of attributes in repositories.xml?

[Ulrich Müller]

[-- Attachment #1: Type: text/plain, Size: 2220 bytes --]

>>>>> On Fri, 28 Mar 2025, Michał Górny wrote:

> I've looked at our repositories.xml and the quality/status attributes
> don't seem to be used very meaningfully.

> That is, by quality:

> core: gentoo [official]
> stable: opentransactions (?) [official (?!)]
> testing: hyprland-overlay, moexiami [both unofficial]
> experimental: everything else
> graveyard: unused

> By status:

> official: ago, alexxy, anarchy, andrey_utkin, cj-overlay, dilfridge,
> emacs, EmilienMottet, fordfrog, gentoo, gnome, gnustep, graaff, guru,
> haskell, java, jmbsvicetto, kde, libressl, maekke, masterlay, mschiff,
> multilib-portage, musl, mysql, opentransactions, pentoo, pinkbyte,
> qemu-init, qt, R_Overlay, rich0, riscv, rnp, ruby, science, sping,
> swegener, tex-overlay, toolchain, ukui, ulm, vGist, voyageur, x11

> unofficial: everything else


> Which brings the significant question: are these attributes in any way
> meaningful?  Is there a point in keeping them at all?  Should we set
> some ground rules and make them used consistently?

> Of them all, only "core" makes sense right now.  "stable" and "testing"
> are used only by random user overlays, with no apparent features. 
> Similarly, "official" is used by a mix of developer and ex-developer
> repositories, developer and user project repositories, and a bunch of
> user repositories with no clearly distinct features.

I've recently looked at these too, in the context of EAPI deprecation
(GLEP 83). Basically, which repositories should we consider before
dropping support for an old EAPI from package managers?

For example, one could consider all "official" repositories. But then
I looked at some of them and found quite a few that are essentially
unmaintained (e.g. because the developer retired). Also, the "quality"
attribute didn't make sense to me at all.

One idea could be to merge these into a single status attribute, and
maybe salvage the "core" value. That is:

- core: Only the Gentoo repository (for the time being)
- official: Repositories maintained by a project or a developer
  (maybe opt-in or opt-out, i.e. allow devs to have unofficial
  repositories?)
- unofficial: everything else

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-dev] The meaning of attributes in repositories.xml?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 2709 bytes --]

On Fri, 2025-03-28 at 12:59 +0100, Ulrich Müller wrote:
> > > > > > On Fri, 28 Mar 2025, Michał Górny wrote:
> 
> > I've looked at our repositories.xml and the quality/status attributes
> > don't seem to be used very meaningfully.
> 
> > That is, by quality:
> 
> > core: gentoo [official]
> > stable: opentransactions (?) [official (?!)]
> > testing: hyprland-overlay, moexiami [both unofficial]
> > experimental: everything else
> > graveyard: unused
> 
> > By status:
> 
> > official: ago, alexxy, anarchy, andrey_utkin, cj-overlay, dilfridge,
> > emacs, EmilienMottet, fordfrog, gentoo, gnome, gnustep, graaff, guru,
> > haskell, java, jmbsvicetto, kde, libressl, maekke, masterlay, mschiff,
> > multilib-portage, musl, mysql, opentransactions, pentoo, pinkbyte,
> > qemu-init, qt, R_Overlay, rich0, riscv, rnp, ruby, science, sping,
> > swegener, tex-overlay, toolchain, ukui, ulm, vGist, voyageur, x11
> 
> > unofficial: everything else
> 
> 
> > Which brings the significant question: are these attributes in any way
> > meaningful?  Is there a point in keeping them at all?  Should we set
> > some ground rules and make them used consistently?
> 
> > Of them all, only "core" makes sense right now.  "stable" and "testing"
> > are used only by random user overlays, with no apparent features. 
> > Similarly, "official" is used by a mix of developer and ex-developer
> > repositories, developer and user project repositories, and a bunch of
> > user repositories with no clearly distinct features.
> 
> I've recently looked at these too, in the context of EAPI deprecation
> (GLEP 83). Basically, which repositories should we consider before
> dropping support for an old EAPI from package managers?
> 
> For example, one could consider all "official" repositories. But then
> I looked at some of them and found quite a few that are essentially
> unmaintained (e.g. because the developer retired). Also, the "quality"
> attribute didn't make sense to me at all.
> 
> One idea could be to merge these into a single status attribute, and
> maybe salvage the "core" value. That is:
> 
> - core: Only the Gentoo repository (for the time being)
> - official: Repositories maintained by a project or a developer
>   (maybe opt-in or opt-out, i.e. allow devs to have unofficial
>   repositories?)
> - unofficial: everything else

WFM.  Not sure we can remove the "quality" attribute without breaking
stuff, but we can at least clean "status" a bit.  Perhaps as a first
step, downgrade all user repositories to "unofficial".  Then ask
the owners of the remaining ones if they want them to stay official.

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 512 bytes --]

Re: [gentoo-dev] Re: The meaning of attributes in repositories.xml?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1223 bytes --]

On Fri, 2025-03-28 at 08:23 +0000, Duncan wrote:
> Status:
> 
> * "Official" status meant managed by an official Gentoo project or 
> developer (who had gone thru the usual vetting process), […]
> 
> * "Unofficial" status had rather less security-trust and was intended for 
> "ordinary users".  […]

Yeah, that makes sense.  However, what probably happened over the last
years is that people requesting being added to repositories.xml either:

a. copied a random entry and inherited the attributes from it,

b. made their own decision arbitrarily,

and in case of user requests, a Gentoo developer probably merged
the request without even looking at the values of these attributes.

> Guru specifically, given its purpose and that I personally have it active 
> (but ATM unused), I wonder about having official status.  […]

GURU specifically falls on the edge between these two definitions.
On one hand, by definition it is entirely maintained by users.
On the other, it is an official Gentoo project, and goes through some
kind of vetting process (i.e. Gentoo devs approve TCs, TCs and devs
review changes before pushing them to the main branch).

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 512 bytes --]

[gentoo-dev] Re: The meaning of attributes in repositories.xml?

[Duncan]

Michał Górny posted on Fri, 28 Mar 2025 14:04:32 +0100 as excerpted:

> On Fri, 2025-03-28 at 08:23 +0000, Duncan wrote:
>> Status:
>> 
>> * "Official" status meant managed by an official Gentoo project or
>> developer (who had gone thru the usual vetting process), […]
>> 
>> * "Unofficial" status had rather less security-trust and was intended
>> for "ordinary users".  […]

> GURU specifically falls on the edge between these two definitions.
> On one hand, by definition it is entirely maintained by users.
> On the other, it is an official Gentoo project, and goes through some
> kind of vetting process (i.e. Gentoo devs approve TCs, TCs and devs
> review changes before pushing them to the main branch).

Hmm...  Yes, I was deliberating about that in my thoughts as I posted too, 
but decided to leave it alone.  Now I'm wondering again...

Adding to ulm's three-level idea (which I see you already WFMed), maybe:

* Core: Gentoo main tree only (for now)

* Official: Gentoo project/dev repos (and I like his opt-in, can choose to 
be unofficial)

+* Semi-official: Guru.  But I'm not happy with the name.  Maybe keep it 
simple, call the level Guru as well (after all core just has one repo in 
it ATM, too), and just accept that guru level might well include more than 
just the guru repo in the future?

* Unofficial: Everything else

With or without semi-official, so far this does seem the general 
consensus.  But for three-level guru really is a square peg in a round 
hole, and whatever demoting/promoting occurs to make it fit would seem 
rather forced and out-of-place.

More so, for the purposes of EAPI deprecation and removal consideration 
I'd draw the line to include guru and exclude unofficial, which would 
either practically force guru to official in the three-level plan, or make 
it even /more/ out-of-place in unofficial, as the single exception.

Which leans me toward four-level, except for the practical consideration 
that once it passes three where might it stop in the future as there's 
always new exceptions and three's a nicer place to draw the line than 
four.  Maybe get rid of core level and just put the main tree in official 
too, thus leaving us with three levels /including/ guru?

Really I'd be satisfied with any of [o/u (just two level), c/o/u, c/o/g/u, 
o/g/u] (and enforcing whichever choice), much more so than with removing 
that attribute entirely as to me that'd be an undesirable step backward.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] The meaning of attributes in repositories.xml?

[Ulrich Müller]

[-- Attachment #1: Type: text/plain, Size: 1117 bytes --]

>>>>> On Fri, 28 Mar 2025, Michał Górny wrote:

>> One idea could be to merge these into a single status attribute, and
>> maybe salvage the "core" value. That is:
>> 
>> - core: Only the Gentoo repository (for the time being)
>> - official: Repositories maintained by a project or a developer
>>   (maybe opt-in or opt-out, i.e. allow devs to have unofficial
>>   repositories?)
>> - unofficial: everything else

> WFM.  Not sure we can remove the "quality" attribute without breaking
> stuff, but we can at least clean "status" a bit.

Yeah, that may be an obstacle. If we must keep the quality attribute,
then how about using quality="core" for the Gentoo repo, and
quality="experimental" for everything else? Very few repos use the
values "stable" or "testing", and we don't seem to have any criteria
for them.

Also arguably, a repository with quality="graveyard" shouldn't be in
repositories.xml at all.

> Perhaps as a first step, downgrade all user repositories to
> "unofficial". Then ask the owners of the remaining ones if they want
> them to stay official.

+1

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-dev] The meaning of attributes in repositories.xml?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1588 bytes --]

On Fri, 2025-03-28 at 17:51 +0100, Ulrich Müller wrote:
> > > > > > On Fri, 28 Mar 2025, Michał Górny wrote:
> 
> > > One idea could be to merge these into a single status attribute, and
> > > maybe salvage the "core" value. That is:
> > > 
> > > - core: Only the Gentoo repository (for the time being)
> > > - official: Repositories maintained by a project or a developer
> > >   (maybe opt-in or opt-out, i.e. allow devs to have unofficial
> > >   repositories?)
> > > - unofficial: everything else
> 
> > WFM.  Not sure we can remove the "quality" attribute without breaking
> > stuff, but we can at least clean "status" a bit.
> 
> Yeah, that may be an obstacle. If we must keep the quality attribute,
> then how about using quality="core" for the Gentoo repo, and
> quality="experimental" for everything else? Very few repos use the
> values "stable" or "testing", and we don't seem to have any criteria
> for them.

If I were to quickly guess some criteria, then I'd guess "stable" would
mean we have consistent stable keywords, "testing" would mean same for
~arch, and "experimental" would mean no consistency expected — i.e. same
as profiles.  But then, the question would be: do we expect people to
actually enforce that somehow, or just declare it?  And then, is it
really worth the effort?

So yeah, perhaps here too we should just revert to the lowest value of
"experimental" and raise if people opt-in to a higher level.  Except
perhaps ::guru, which I'd personally dare say fits "testing".



-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 512 bytes --]

Re: [gentoo-dev] Re: The meaning of attributes in repositories.xml?

[Gerion Entrup]

[-- Attachment #1: Type: text/plain, Size: 6866 bytes --]

Am Freitag, 28. März 2025, 09:23:42 Mitteleuropäische Sommerzeit schrieb Duncan:
> Michał Górny posted on Fri, 28 Mar 2025 05:27:40 +0100 as excerpted:
> 
> > Hello,
> > 
> > I've looked at our repositories.xml and the quality/status attributes
> > don't seem to be used very meaningfully.
> > 
> > That is, by quality:
> > 
> > core: gentoo [official]
> > stable: opentransactions (?) [official (?!)]
> > testing: hyprland-overlay, moexiami [both unofficial]
> > experimental: everything else graveyard: unused
> > 
> > By status:
> > 
> > official: ago, alexxy, anarchy, andrey_utkin, cj-overlay, dilfridge,
> > emacs, EmilienMottet, fordfrog, gentoo, gnome, gnustep, graaff, guru,
> > haskell, java, jmbsvicetto, kde, libressl, maekke, masterlay, mschiff,
> > multilib-portage, musl, mysql, opentransactions, pentoo, pinkbyte,
> > qemu-init, qt, R_Overlay, rich0, riscv, rnp, ruby, science, sping,
> > swegener, tex-overlay, toolchain, ukui, ulm, vGist, voyageur, x11
> > 
> > unofficial: everything else
> > 
> > 
> > Which brings the significant question: are these attributes in any way
> > meaningful?  Is there a point in keeping them at all?  Should we set
> > some ground rules and make them used consistently?
> > 
> > Of them all, only "core" makes sense right now.  "stable" and "testing"
> > are used only by random user overlays, with no apparent features.
> > Similarly, "official" is used by a mix of developer and ex-developer
> > repositories, developer and user project repositories, and a bunch of
> > user repositories with no clearly distinct features.
> 
> So what you didn't mention but I assume knew, thus making your question 
> more one of: "This seems to have changed, do we get stricter again or lose 
> the attributes which don't seem to mean anything any more"...
> 
> My (user) understanding from "back in the day" when overlays were fairly 
> new and I first merged and configured layman (reading its config docs 
> where IIRC this came from to do so), keeping in mind that back then 
> overlays were a new concept and a major point from the detractors was fear 
> that actually providing official overlays management and documentation 
> would somehow implicate Gentoo if a user took advantage to distribute 
> overt malware:
> 
> Status:
> 
> * "Official" status meant managed by an official Gentoo project or 
> developer (who had gone thru the usual vetting process), thereby implying 
> the same security-trust level as the main Gentoo tree.  That is, 
> regardless of quality (experimental, testing, etc), the contents should be 
> relatively trustworthy at minimum not to include deliberate ebuild/eclass 
> level malware.
> 
> The implication of "official" was that any deliberate or "they went 
> through the vetting process and should have known better" security 
> violation (as opposed to quality/QA violation) in any "official" overlay 
> would be treated as if it had occurred in the main overlay, and would not 
> only trigger ejection of the dev in question but a reexamination of what 
> could be done to improve vetting to avoid it happening again in the 
> future, as well as possible prosecution as appropriate.
> 
> * "Unofficial" status had rather less security-trust and was intended for 
> "ordinary users".  Unvetted, "caveat emptor", "here be dragons" and "if it 
> breaks you get to keep the pieces".  Security violations would of course 
> result in removal of the overlay from the list... after the fact.
> 
> The implication was "If it's from an unofficial overlay, be sure you 
> either trust the author with effective root on your system or explicitly 
> examine the code before running it, because effective root on your system 
> is what you're giving them."
> 
> ...
> 
> I thus find it ... "unsettling"... to read that various user overlays have 
> apparently been marked "official" with no regard to that original policy.  
> While the original distinction may have arguably had alarmist motivations, 
> I definitely still find it useful, within a somewhat more limited context, 
> and consider "official" status among other factors when I consider adding 
> an overlay.
> 
> Guru specifically, given its purpose and that I personally have it active 
> (but ATM unused), I wonder about having official status.  I only "sort of" 
> use one ebuild from there, net-nntp/pan -- "sort of" because I used it as 
> a basis for my personal overlay's pan-9999 live-git ebuild, when upstream 
> switched autotools -> cmake.  (FWIW I've been "going to" contact and 
> coordinate with the primary author and perhaps add the -9999 version to 
> guru as well once we do, but that's yet to happen...)  Obviously I did the 
> appropriate "unofficial status level" security evaluation in the process 
> of converting it to live-git -9999.
> 
> Quality:
> 
> I /think/ the quality attribute /may/ have been introduced later as IDR 
> reading about it in the original layman docs, as I think back then the 
> /assumption/ was that "if it's only in an overlay, it's not up to main-
> tree quality", thus "experimental" and possibly incomplete/under-
> development, below ~arch-level quality.  Either that or perhaps IDR it 
> simply because it didn't strike me as important enough to "underline in my 
> memory" like the status did (with the experimental assumption then being 
> on my part as seeming obvious).
> 
> Graveyard would have been the sunset overlay, which I guess has fallen by 
> the wayside?  (Of course I'm personally much more toward the live-git side 
> than sunset/graveyard, so I'd have never noticed sunset's disappearance.)
> 
> 
> FWIW kde's the only overlay I'm currently actively using (for -9999s, sets 
> and package.accept_keywords), and it's (correctly) official status, 
> experimental quality.  (Tho I only just removed qt days ago, after reading 
> that qt*-9999s are officially in-tree now -- kde of course having required 
> it at times for the -9999s in the :5 era due to upstream kde's sometime  
> dependency on unreleased qt.)

I directly use(d) it for my package mask:
gentoo and official overlays are unmasked (default behavior)
Every other overlay gets an entry in my package.mask: `*/*::obscure-overlay`
I unmask packages from non official overlays only giving their specific version and try to look at the ebuild code before merging them.

AFAIK, portage has no other functionality to prevent updates from overlays (e.g. a `sys-libs/glibc` package marked stable in a newer version than in the gentoo tree would be merged by portage without a further hint). OpenSUSE/zypper for example remembers the source/"overlay" of the currently installed package and perform an update only when its provided by the same source/"overlay".

Best
Gerion


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 659 bytes --]