From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 30527 invoked from network); 6 Jan 2004 09:56:01 +0000 Received: from smtp.gentoo.org (128.193.0.39) by eagle.gentoo.oregonstate.edu with DES-CBC3-SHA encrypted SMTP; 6 Jan 2004 09:56:01 +0000 Received: from lists.gentoo.org ([128.193.0.34] helo=eagle.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.24) id 1AdnwP-0006SJ-0P for arch-gentoo-dev@lists.gentoo.org; Tue, 06 Jan 2004 09:56:01 +0000 Received: (qmail 23791 invoked by uid 50004); 6 Jan 2004 09:55:59 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 819 invoked from network); 6 Jan 2004 09:55:58 +0000 Date: Tue, 6 Jan 2004 04:54:09 -0500 From: Kurt Lieber To: gentoo-dev@lists.gentoo.org Message-ID: <20040106095408.GR7941@mail.lieber.org> References: <200401052305.45317.robert.cole@support4linux.com> <200401052339.01428.robert.cole@support4linux.com> <20040106075525.GB19117@cerberus.oppresses.us> <200401060039.29348.robert.cole@support4linux.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="I7gN1YuHeqxrxkIZ" Content-Disposition: inline In-Reply-To: <200401060039.29348.robert.cole@support4linux.com> X-GPG-Key: http://www.lieber.org/kurtl.pub.gpg User-Agent: Mutt/1.5.5.1i Subject: Re: [gentoo-dev] creating ebuilds X-Archives-Salt: 0c4ab56b-cd0b-42a0-88fe-7051f18b5026 X-Archives-Hash: 6d5b956afdd8f8fc3092c9300f4e452c --I7gN1YuHeqxrxkIZ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 06, 2004 at 12:39:29AM -0800 or thereabouts, Robert Cole wrote: > I like it. That's a very good process. I'm talking about ebuilds here. I'= ll be=20 > honest and say I don't know how the backend of the portage tree works wit= h=20 > security and all but maybe another tier would be in order if possible. Li= ke a=20 > low access new ebuild access that gets queued and not actually put in the= =20 > tree and someone with access could simply flag it to move into the tree o= r=20 > reject it sending an email back to the creator of the ebuild why. You've just described bugs.gentoo.org. Granted, plenty of ebuilds sit in there and never make it into the tree. This is not the fault of bugzilla, however. It is more a problem with our process. Ebuilds make it into the tree when a developer cares about them. If no developer cares about them, they tend not to make it into the tree. For right or wrong, that's how things work today. I could see benefits to having a dedicated person, who was extremley knowledgeable in the ins/outs of ebuild creation who did nothing else except scan bugs.gentoo.org for new ebuilds and put them into the tree. Whether there's a person out there with the right skill set willing to do such a job is another question entirely. (not saying there isn't, btw) > > You would be cautious too if there were an estimated quarter of a > > million systems at stake. >=20 > Those systems aren't yours or any other gentoo devs responsibility. I thi= nk if=20 > most gentoo users/admins would really really think about it they know the= =20 > risks they took when they started using gentoo. It's bleeding edge using= =20 > ACCEPT_KEYWORDS or not. I understand, and if every gentoo user would real= ly=20 > be honest with themselves, that my system could go POOF on the next world= =20 > update. I know mine has a few times in the earlier days of gentoo. That's= =20 > life on the bleeding edge. I believe Jon was talking more about the security side of the house. Each developer we give CVS access to is one more developer that can commit a trojaned ebuild or do something else nasty. Thus, we try to be somewhat careful about handing the keys to the kingdom over to new folks. --kurt --I7gN1YuHeqxrxkIZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/+oXAJPpRNiftIEYRAulUAJkBhJGe/eKwJGpqe9+TauJgI8ziyACdFLFh jdJz/GPwPdMiYjPEl+Y6Wgs= =yO77 -----END PGP SIGNATURE----- --I7gN1YuHeqxrxkIZ--