On 4 October 2011 13:27, Martin Schlander
Tirsdag den 4. oktober 2011 12:12:11 skrev Sven Burmeister:
To repeat myself again. There is no maintainer for KUA! QA is not given. That's all that matters.
KUA has at least the same level of QA as any other unsupported OBS repo, i.e. none - except the maintainer himself (that would basically be me, though I call in the cavalry when I become aware of significant problems I cannot fix) using most of the packages on one specific distro version and arch.
All QA besides that depends on users reporting problems. This is the same as for any other OBS repo, whether in the community repos list or not.
Since KUA is limited to links to KDF the packages will actually have been tested somewhat before entering KUA, although in a different environment.
As an 11.4 user I ask myself: - Who will patch the digikam 1.8 package from the main repo if there is ever a security issue? The security team. - Who will patch the digikam 2.2 package from the KDF repo if there is ever a security issue? There are two independent teams here. At the very minimum upstream will do it (and the KDF maintainers will publish the update from upstream). And I expect the security team and/or the KDF maintainers to also do some basic checks since those packages have to go to Factory. Perhaps it's not as secure as the package from the official repo, but it gives me some confidence to know someone is watching it. - Who will patch the digikam 1.9 package from the KUA repo if there is ever a security issue? Upstream is NOT going to. KDF maintainers are NOT going to. Who is going to then? And that's the simple reason why packages should build. Trust in a package is a temporal state that disappears the moment the maintainer published an update. What I really trust is the maintainer, not the package, and the maintainer can only transfer that trust to the LATEST package. I even stop trusting the packages from the official repo once an update is published in the updates repo...
How do I know? Simply because there would not be a broken 1.9 package in there months after it built correctly (if ever) last time if somebody cared.
You still have not explained how the maintainer is supposed to fix something noone reported is broken.
So KUA users should check themselves for security issues and report them to you? Well, perhaps that should be the official minimum for a repo to be in the list: "We don't make any promises about how long it will take to fix security issues. But YOU will NOT need to check for security issues in the packages from these repos." -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kde+help@opensuse.org