On Wednesday 30 July 2008 09:23:30 Dirk Stöcker wrote:
On Tue, 29 Jul 2008, Adrian Schröter wrote:
* A significant interest by the users (How to messure this ? 2 loud people vs. 1000 quite people ?)
Get the download statistics back to work. These are an independend measuring instrument, which can be used exactly for this.
Sure, but what is rule ? How much downloads per time is needed to qualify ?
* Who is able and willing to deliver maintenance updates ? (Who qualifies to deliver updates for two years ? Who can be the fallback ?)
From my point of view Novell is responsible for Factory packages, so trust and maintenance must be handled by the Novell people. The OBS packages can thus be only a base for the own package.
That is possible, but that would mean that no non-Novell employees are allowed as maintainers of packages in openSUSE. I am not sure that we want this.
So it is plainly: - Download statistics suggest to integrate package x - package x is taken from OBS to Factory - review the SPEC files - check sources against upstream (are the tarballs equal?) - check upstream sources (to a certain degree) - check patches
Now the depths of the checks depends on the package, the quality of the resulting RPM and also the individual trust-level of the author of the package. Also the depth of these checks for updates mainly depends of the trust-level of the package author.
But this are all Novell internals. The open part of SUSE should be seperated from that. I install openSUSE on many systems and want to be sure (to a certain degree - it's open source) this is possible.
Yes, I agree 100% here. But shouldn't it be possible also that non-Novell employees can become part of distribution maintainers ? I fear that otherwise plenty of packages just get refused due to limited resources. Of course we need a definition, when someone is trustable enough for Factory maintainership.
Anyway I use the same method for Application:Geo. While initially everbody had write access to every package there I switched that, so that I'm the only one and the others have access to the individual packages only. From time-to-time I check all the changes happened inbetween (This does not mean I will be able to detect any dangerous modifications at all). At the end the project Application:Geo has established a security policy without the need to discuss this with anybody else. Same is true for factory - it's a pure internal problem.
No, in factory directly only a very small group has direct write access. They review changes from submitters. But they have their groups of trusted people for certain packages. But their changes get anyway reviewed. -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org