[indiana-discuss] [sw-porters-discuss] contrib and pending repo processes

Guido Berhoerster guido+opensolaris.org at berhoerster.name
Fri Nov 14 17:53:09 PST 2008 

* Jim Walker <James.Walker at Sun.COM> [2008-11-14 22:44]:
> review the packages going into /contrib? I would like to keep the
> quality bar as high as possible for /contrib. This was the primary reason
> for /pending. /pending is the dumping ground. /contrib will have viable
> packages for most users.

How do you review a binary IPS package in /pending and verify no
malicious code has been injected by the submitter? With a
spec-file or some other build recipe making the build
reproducible this would be possible. For OSS this should
therefore be mandatory.
If you move packages from /pending to /contrib will the package
be rebuilt on a trusted build server?

> The consolidation processes (ON, SFW, X, Desktop ...) address maintainer
> and support issues, and must be followed before anything goes into /dev.

A maintainership process would encourage responsibility, users
would know if a package is actually maintained, and it avoids
submitters stepping on each others toes and allows easier
coordination, e.g. how do you coordinate upgrades of a library
wich necessitates as rebuild of dependent packages, what if
somebody updates a package that was submitted by someone else who
still assumes responsibility for it? Furthermore it would also
institutionalize the building of reputation which you mentioned
in your other mail.
There are no major Linux distros, or BSDs which allow dumping
binary packages somewhere just like that. They all have some
sort of maintainership process which does not necessarily have to
be complex (as with OS consolidations).

> The proposed path is /pending to /contrib. /contrib packages should
> be fit for general users. If you want a package to reflect a higher
> quality/stability it would need to go through the consolidation process
> and into /dev and finally /release.

My general experience with constantly updating packages as with
Fedora, Debian unstable/testing, FreeBSD ports or Gentoo is that
_despite some testing_ they regularly introduce breakage.
Regular snapshots whith a stabilization phase leading to releases
can alleviate that with a little effort, see e.g. pkgsrc or
Blastwave for some positive examples.

-- 
Guido Berhoerster

More information about the indiana-discuss mailing list