From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1FMREy-00087L-Oo for garchives@archives.gentoo.org; Thu, 23 Mar 2006 14:56:45 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.5) with SMTP id k2NEu9Ww019504; Thu, 23 Mar 2006 14:56:09 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30]) by robin.gentoo.org (8.13.6/8.13.5) with ESMTP id k2NEsFad023683 for ; Thu, 23 Mar 2006 14:54:16 GMT Received: from rocket by smtp.gentoo.org with local (Exim 4.54) id 1FMRCZ-00067L-IW for gentoo-dev@lists.gentoo.org; Thu, 23 Mar 2006 14:54:15 +0000 Date: Thu, 23 Mar 2006 14:54:15 +0000 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Official overlay support Message-ID: <20060323145415.GA24313@toucan.gentoo.org> Mail-Followup-To: Eric Edgar , gentoo-dev@lists.gentoo.org References: <441F35B9.8000406@gentoo.org> <4421836A.8040000@gentoo.org> <1143123468.14434.5.camel@cgianelloni.nuvox.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 From: Eric Edgar X-Archives-Salt: 532c5aa0-a055-4e6e-a9b2-bce657d32976 X-Archives-Hash: 89d7ccb472761bc84ef0c3b57753485c --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I personally think this is a bad idea. I can understand and support links to different overlay repositories, however I do not think that gentoo should host or support overlays on its own infrastructure. For one thing supporting overlays on our infrastructure looks like we are supporting broken ebuilds. This will also lead to more confusion with users who find these official overlays and then the overlays conflict with each other and cause problems that leads to comments like well gentoo should just know how to fix it and make it all work. I also think that this overlay structure will not provide incentives for people to commit to the main tree. They will get their ebuild in an overlay and its hosted on gentoo and distributed to the mirrors. At that point its easy for them to continue to use the overlay. Over time the overlay will diverge more and more from other overlays and even the main tree. If this still goes forward I think we should look at the debian layout where there is the core product and then the security branches etc. Personally I think this is going to cause more bug reports and less updates to the main tree. I also agree that a hostile fork is unlikely, however it is more possible with the overlay layout as anyone can get an ebuild mirrored on our infrastructure at this point. Another thing to concider is how would people be able to contribute to the overlays? Is there a review process? Is there a checkin process? If no then anyone can post a malicious ebuild that would be a security nightmare. I think this security viewpoint alone is enough to re-evaluate this plan of action. Eric On 14:41 Thu 23 Mar , Stuart Herbert wrote: > Hi Chris, >=20 > On 3/23/06, Chris Gianelloni wrote: > > If some random developer goes out there and creates his own fork of > > catalyst in his overlay, I sure don't want to receive a *single* bug on > > it. Ever. >=20 > Your nightmare scenario seems unavoidable. Enabling per-overlay bug > tracking doesn't stop users posting bugs in bugzilla. It just causes > confusion for users, because they're not sure where to go. Normally, > it's not a problem - because the overlay contributors are normally the > owners of the real package. >=20 > A hostile fork of Catalyst is very much a special case. >=20 > What we could do is say that overlays are for package trees only; ie > they are not general-purpose repositories for holding source trees.=20 > That would ensure that your nightmare scenario is even less likely to > happen, and that if it does, it's through no fault of the overlays > project :) >=20 > Best regards, > Stu >=20 > --=20 > gentoo-dev@gentoo.org mailing list >=20 >=20 --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEIraXG1H288hHbuMRAtRcAJ9tTRobuEqIb25BswMSlgC2bcUhRACcDOJR gNpeve7ZiWbN3kKFVfRDHvw= =FHgg -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt-- -- gentoo-dev@gentoo.org mailing list