On Tuesday 29 January 2008, Dr. Peter Poeml said:
On Tue, Jan 29, 2008 at 03:12:49PM +0100, Rupert Horstkötter wrote:
I want to raise your attention on a project I'm currently working on with Adrian: the implementation of a trust/rating system for the OBS. We'd appreciate if everyone interested could communicate his opinions/thoughts/impressions on this. We are very interested to get some input from the whole openSUSE community. Adrian has already posted a wiki entry which gives further information on the subject here... http://en.opensuse.org/Build_Service/Concepts/Trust Feel free to comment on this - input is highly appreciated!
I read the proposal it I like it. It seems reasonable and doable. I appreciate the decision to offer different ways of how trust can be "earned". I'm not sure if that can be molded into a single number, however I would be happy with several separate "channels" of trust, if you know what I mean.
Agreed, since trust is advisory, one's assessment of trust would be helped by having some discrete information on a packager eg:
Joe Packager Individual assertions of trustworthiness [x] signed guiding principles [x] signed maintenance agreement [x] assured identity Trust Testimonials from others [x] Novell employee trusted by Jane Packager (trust: 40) trusted by Jim Packager (trust: 10) trusted by Johnny Packager (trust: 1) Statistics Time in project: 3 years 1 month Packages maintained: 12 Mean package update latency: 10.3 days [*] Bugs/package: 1.7 [**] Mean Rpmlint warning score: 20
I guess you could come up with some kind of weighting for each of these values to come up with an overall trust metric. My question is, how would this trust metric be used? Is it shown to the user upon adding a repo along with a scale explaining eg "Trust 100 - 80: Highly trusted. These packages are believed to be of high quality, follow openSUSE packaging guidelines well and are kept up to date, ..."? I guess the trust scoring system is influenced by cacert.org - can someone actively involved there explain the rest of their mechanism?
[*] could be computed by logging release dates from Marcus' release scraper scripts and comparing those to the dates packages were updated [**] fairly arbitrary unless there were a way to distinguish packaging bugs on a package.