Mailinglist Archive: opensuse (4398 mails)

< Previous Next >
Re: [opensuse] Packages from a user and Packager perspective
  • From: Pascal Bleser <pascal.bleser@xxxxxxxxx>
  • Date: Tue, 06 Sep 2005 14:15:50 +0200
  • Message-id: <431D8876.7050102@xxxxxxxxx>
Hash: SHA1

Sonja Krause-Harder wrote:
(hi Sonja, thanks for your hard work on the Java packages ;))

> On Tue, Sep 06, 2005 at 01:48:25PM +0200, Pascal Bleser wrote:
>> C'mon, it's the same on packman: someone sends an e-mail "hi I packaged this".
>> Would you just take his RPM and put it in the packman repository as-is, without reviewing or testing it ?
> What if the package was clearly marked as untested, submitted by an
> unknown, unrated, untrusted new user, and not available through
> automatic update, but only with explicit manual intervention? Would you
> still object?

See what I wrote in my latest reply to Henne:
- --->8--snip------------------
Well, if you really want to let anyone submit RPMs just by uploading them into some FTP, we would at
the very least need separated repositories (stable, unstable, testing), to let users choose what
harm they want to do to their system ;)
Note that it's not exactly the same idea as Debian: with Debian, that "state" applies to the whole
distribution. We will still have a stable SUSE distribution every 6 months, so we won't run into
those issues. That stable/unstable/testing would apply to every single "3rd party" package itself.
testing = not reviewed, not tested
unstable = reviewed, not much tested
stable = reviewed, tested by at least x people
What would be nice, regarding that, is to have the possibility of letting users post their
experience with the packages through some web interface. When an "unstable" package has a certain
amount of positive feedback from users, it's being promoted to "stable".
And "testing" packages simply get promoted to "unstable" when they have been reviewed by at least 1
or 2 experienced packagers.
That's something I already discussed with RPMforge. IMHO it's a very good solution to a number of
potential issues, but most probably involves writing some software for it (the web frontend for
posting feedback).
- --->8--snip------------------

> Trust is an issue. But keeping everything out and only letting trusted
> packages is only one possible solution, and one that creates the
> bottlenecks you can observe in other open projects.

Being wide open is also an issue, IMHO even a lot worse one.

And I never said to "keep everything out".
I talked about reviews, cross-signing, and one option being to have different quality labels on
individual packages (stable/unstable/testing).

The latest most probably being the most interesting one.

Geez, I never said to make it a private club :)
Anyone can participate, create an account, sign in, and follow the guidelines.

> Another idea is transparency: make clear what level of trust a package
> has, what kinds of reviews were done, and make sure users know the risks
> when they download and install something. But allow everyone to use the
> build infrastructure and package distribution servers and host their
> packages there.

Sure, anyone can package anything and put it on their website ;)

> What would we need for such a model to work?
1. define policies and quality guidelines for packages, based on what Novell/SUSE already provides:
2. set up an infrastructure for
- bug reports
- voting/feedback on packages to promote from unstable to stable
3. central mailing-list for all the packagers involved
4. implement support for that/those repository/ies into YaST2

- --
-o) Pascal Bleser
/\\ <pascal.bleser@xxxxxxxxx> <guru@xxxxxxxxxxx>
_\_v The more things change, the more they stay insane.
Version: GnuPG v1.4.0 (GNU/Linux)


< Previous Next >
Follow Ups