From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10969 invoked from network); 6 Jan 2004 19:23:51 +0000 Received: from smtp.gentoo.org (128.193.0.39) by eagle.gentoo.oregonstate.edu with DES-CBC3-SHA encrypted SMTP; 6 Jan 2004 19:23:51 +0000 Received: from lists.gentoo.org ([128.193.0.34] helo=eagle.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.24) id 1Adwnu-0006HN-VJ for arch-gentoo-dev@lists.gentoo.org; Tue, 06 Jan 2004 19:23:50 +0000 Received: (qmail 9176 invoked by uid 50004); 6 Jan 2004 19:18:01 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 24928 invoked from network); 6 Jan 2004 19:18:00 +0000 From: Chris Gianelloni To: Robert Cole Cc: gentoo-dev@lists.gentoo.org In-Reply-To: <200401060831.21756.robert.cole@support4linux.com> References: <200401052305.45317.robert.cole@support4linux.com> <200401060718.06441.robert.cole@support4linux.com> <1073405054.4368.56.camel@localhost> <200401060831.21756.robert.cole@support4linux.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-UQJ76/lWbZ1AAQy8LR6i" Message-Id: <1073416672.8062.29.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Tue, 06 Jan 2004 14:17:52 -0500 Subject: Re: [gentoo-dev] creating ebuilds X-Archives-Salt: b18fbdc7-815c-4508-ae4f-54dc1cad867e X-Archives-Hash: c980cb9dcd622a5a1bac195d84807b0b --=-UQJ76/lWbZ1AAQy8LR6i Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2004-01-06 at 11:31, Robert Cole wrote: > On Tue January 06 2004 8:04 am, Chris Gianelloni wrote: > > Someone who is NOT a developer, and therefore not held liable. If I ad= d > > a package to the portage tree, I HAVE to maintina it. That is the > > current Gentoo policy, and I think a VERY good policy for keeping > > poor-quality ebuilds out of the tree. >=20 > I personally believe this type of management has it's days numbered as ge= ntoo=20 > grows.=20 I respect your opinion, but as far as I can see, Gentoo is sticking with the idea that having packages which do not have at least one developer willing to maintain it is a bad idea. > > > It sounds like you need a better buffer between new devs and cvs. Lik= e a > > > said something queue like that the cvs dev can just click to approve = and > > > it all happens automagically. > > > > The truth is, I would like to see FEWER packages added, as it seems the > > quality of some packages is deteriorating, while others are getting MUC= H > > better. Gentoo is working to provide excellent quality control. We do > > not wish to EVER force the user community to do our QC for us, which is > > why most of your ideas simply won't work. Pushing the testing phase > > onto the users is a horrible idea, as it makes it EXTREMELY easy for a > > user to end up with a very broken system. We try to provide only > > working packages and not things which are of poor quality, as it > > reflects on us, as developers. >=20 > Are we talking about the same distro here? This is gentoo I'm talking abo= ut.=20 > We all do qc in some form or another whether we report the issue or not i= s a=20 > different story. No. You do bug reporting when you find something wrong. Quality Control is something that is done before a product is shipped to make sure it isn't broken. > Gentoo is an advanced distro. It's always been easy to end up with a brok= en=20 > system. Are you trying to make gentoo into another lindows or something?=20 I'm just going to leave this alone since it is obvious that you're flame-baiting. > I will say that qc from the devs has evolved to limit the broken systems = that=20 > use to happen more but we would have never gotten to this point without=20 > breaking a system or 100 now and again. I not saying we should continue=20 > breaking systems I'm just saying it's not unexpected to get a broken pack= age=20 > or two now and again even from experienced and trusted devs. Mistakes can= =20 > happen and anyone who uses gentoo should not have a problem with that. Yes, the quality of developer commits has increased because we have been making a conscious effort to do so. A broken package or two every now and then is not usually detrimental as the chaos that would ensue with having a system as you propose where quantity and speed take precedence over quality. > > Well, cvs does allow a for more fine-grained controls over the tree, > > however Gentoo has decided to not use these and rather to rely on trust > > to keep things in order. This way a developer is not prohibited from > > contributing in an area for which he is not an "official" part. For > > example, if we were to implement strong access controls, I would be > > allowed to access the games-* parts of the tree. However, I also > > maintain a few packages under net-misc. If I were to add a new package= , > > I would have to request access for that area, which is a serious > > bottleneck when you're looking at hundreds of developers each needing > > access to different areas. >=20 > That's exactly the way it works. Now from an administration standpoint yo= u=20 > should limit the number of exceptions that happen. I mean you having acce= ss=20 > to games and misc is ok that way but if you were to maintain packages acr= oss=20 > a dozen area then you should just have complete access. This is something that we will eventually face, but for now we prefer the idea of allowing developers to expand their horizons and contribute anywhere they see fit. There are some limitations on certain areas which are considered to be more critical, but in general everyone has access to the entire tree. > > The way Gentoo looks at it is simply that if we can't trust you with th= e > > whole tree, why should we trust you with any of it? >=20 > It's not so much a matter of trust as it is a good security practice. I h= ave=20 > root access to my linux systems but does that mean I just run as root all= the=20 > time? You're just putting words into my mouth here. We're speaking of trust and professionalism. AT work, do you have access to other people's email? I'm sure you do, since you say that you are an administrator, but does that mean you go reading other people's mails? I'm willing to bet that you don't. It is pretty much the same thing.=20 There is nothing actually stopping you from doing it, other than possible repercussions and your own integrity. > If I take your example here I should and everyone should just run as the = root=20 > user on a linux/unix system. Why don't we? Because it's a security risk a= nd=20 > poor security practice. Same with doing an all or nothing cvs access it's= =20 > just lazy and there is no other way to put it except just plain lazy secu= rity=20 > practices. You're speaking out of both sides of your mouth. On one side you want to make adding ebuilds quicker, and on the other, you want us to implement measures to slow developer's abilities to work. Which is it? --=20 Chris Gianelloni Developer, Gentoo Linux Games Team Is your power animal a pengiun? --=-UQJ76/lWbZ1AAQy8LR6i Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/+wngkT4lNIS36YERAlzRAKCMaZdZ1b5L553JBogey6eonAEtvQCfQl0a PhwC3mRENQv/1Ieq5YQRtQU= =wTMJ -----END PGP SIGNATURE----- --=-UQJ76/lWbZ1AAQy8LR6i--