On Tue, 29 Jul 2008, Adrian Schröter wrote:
* A significant interest by the users (How to messure this ? 2 loud people vs. 1000 quite people ?)
Get the download statistics back to work. These are an independend measuring instrument, which can be used exactly for this.
* Who is able and willing to deliver maintenance updates ? (Who qualifies to deliver updates for two years ? Who can be the fallback ?)
From my point of view Novell is responsible for Factory packages, so trust and maintenance must be handled by the Novell people. The OBS packages can thus be only a base for the own package.
So it is plainly: - Download statistics suggest to integrate package x - package x is taken from OBS to Factory - review the SPEC files - check sources against upstream (are the tarballs equal?) - check upstream sources (to a certain degree) - check patches Now the depths of the checks depends on the package, the quality of the resulting RPM and also the individual trust-level of the author of the package. Also the depth of these checks for updates mainly depends of the trust-level of the package author. But this are all Novell internals. The open part of SUSE should be seperated from that. I install openSUSE on many systems and want to be sure (to a certain degree - it's open source) this is possible. Anyway I use the same method for Application:Geo. While initially everbody had write access to every package there I switched that, so that I'm the only one and the others have access to the individual packages only. From time-to-time I check all the changes happened inbetween (This does not mean I will be able to detect any dangerous modifications at all). At the end the project Application:Geo has established a security policy without the need to discuss this with anybody else. Same is true for factory - it's a pure internal problem. Ciao -- http://www.dstoecker.eu/ (PGP key available)