Re: [gentoo-project] [RFC] New project: GURU [Gentoo User Repository, Unreviewed]

[Rich Freeman <rich0@gentoo.org>]

On Sun, Feb 3, 2019 at 2:28 PM Michał Górny <mgorny@gentoo.org> wrote:
>
> 1. Should the access be open or explicitly granted?  If the latter, how
> should we determine whether to grant access for a particular
> contributor?
>

Obviously we're going for a low barrier to entry here.  However, I
think there needs to be SOME kind of reputation system in place (not
necessarily at time of account creation) otherwise we're going to be
open to completely trivial attacks.

One thing I don't like about AUR is that fairly non-exotic packages
end up residing there solely, and updating these becomes tedious,
because you basically have to protect yourself against the script
kiddies.  I don't think our intent here is to have the main repository
focus mainly on @system though, so this might not be as much of an
issue.

We probably do need to have some way to keep users from just shooting
themselves in the foot.  Unless we have a really strong vetting
process for packages in this alternate repository we're not going to
want to have people just blindingly accepting updates from there.  All
that said I think the "AUR Helper" approach Arch uses is a pretty
clunky approach.

I feel like there ought to be some kind of reputation-based solution
where users can earn karma based on actual contributions and then for
updates to be eligible for keywording or whatever they have to be
endorsed by users with enough collective karma or something.
Obviously that is way less trivial to build than a random git repo
that lots of people can push to or whatever.

If we had a reputation-based system then anybody could be allowed to
submit ebuilds without any vetting, since they wouldn't actually
become keyworded/effective/published/whatever until they get vouched
for.  However, we'd have to avoid a system where account spam can be
used to play karma games quickly and sneak in packages.

Another approach would be a WoT-like system where users pick what
other users THEY trust and the package manager understands this, so
only ebuilds endorsed by that other user are accepted.  Maybe like GPG
there can be trust levels/scores so that more than one endorsement is
allowed.  Being end-user-driven this would be much less susceptible to
karma games.  It probably would require a lot less micromanagement as
well and there are no longer arguments over who should/shouldn't get
karma as every end user gets to decide for themselves.  On the flip
side it does let users shoot themselves in the foot, which I guess is
how we tend to roll here...

Really, though, you have to expect that something like this is going
to get abused.  I think the key is to make abuse non-trivial so that
we aren't playing whack-a-mole with rootkit installers.

-- 
Rich