6 Sep
2005
6 Sep
'05
12:15
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sonja Krause-Harder wrote: (hi Sonja, thanks for your hard work on the Java packages ;)) > On Tue, Sep 06, 2005 at 01:48:25PM +0200, Pascal Bleser wrote: >> C'mon, it's the same on packman: someone sends an e-mail "hi I packaged this". >> Would you just take his RPM and put it in the packman repository as-is, without reviewing or testing it ? > What if the package was clearly marked as untested, submitted by an > unknown, unrated, untrusted new user, and not available through > automatic update, but only with explicit manual intervention? Would you > still object? See what I wrote in my latest reply to Henne: - --->8--snip------------------ Well, if you really want to let anyone submit RPMs just by uploading them into some FTP, we would at the very least need separated repositories (stable, unstable, testing), to let users choose what harm they want to do to their system ;) Note that it's not exactly the same idea as Debian: with Debian, that "state" applies to the whole distribution. We will still have a stable SUSE distribution every 6 months, so we won't run into those issues. That stable/unstable/testing would apply to every single "3rd party" package itself. testing = not reviewed, not tested unstable = reviewed, not much tested stable = reviewed, tested by at least x people What would be nice, regarding that, is to have the possibility of letting users post their experience with the packages through some web interface. When an "unstable" package has a certain amount of positive feedback from users, it's being promoted to "stable". And "testing" packages simply get promoted to "unstable" when they have been reviewed by at least 1 or 2 experienced packagers. That's something I already discussed with RPMforge. IMHO it's a very good solution to a number of potential issues, but most probably involves writing some software for it (the web frontend for posting feedback). - --->8--snip------------------ > Trust is an issue. But keeping everything out and only letting trusted > packages is only one possible solution, and one that creates the > bottlenecks you can observe in other open projects. Being wide open is also an issue, IMHO even a lot worse one. And I never said to "keep everything out". I talked about reviews, cross-signing, and one option being to have different quality labels on individual packages (stable/unstable/testing). The latest most probably being the most interesting one. Geez, I never said to make it a private club :) Anyone can participate, create an account, sign in, and follow the guidelines. > Another idea is transparency: make clear what level of trust a package > has, what kinds of reviews were done, and make sure users know the risks > when they download and install something. But allow everyone to use the > build infrastructure and package distribution servers and host their > packages there. Sure, anyone can package anything and put it on their website ;) > What would we need for such a model to work? 1. define policies and quality guidelines for packages, based on what Novell/SUSE already provides: http://ftp.novell.com/pub/forge/library/SUSE%20Package%20Conventions/spc.html 2. set up an infrastructure for - bug reports - voting/feedback on packages to promote from unstable to stable 3. central mailing-list for all the packagers involved 4. implement support for that/those repository/ies into YaST2 ... cheers - -- -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/ /\\ <pascal.bleser@skynet.be> <guru@unixtech.be> _\_v The more things change, the more they stay insane. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFDHYh1r3NMWliFcXcRAgWjAKCd3iWBS5SBCTQWjlGHo1XqzdmtbgCbByP1 1Vhca3Om8kS4VyC+KwAH8q0= =seVo -----END PGP SIGNATURE-----