[indiana-discuss] [desktop-discuss] [sw-porters-discuss] contrib and pending repo processes

Luis de Bethencourt luis.debethencourt at sun.com
Tue Nov 18 15:25:30 PST 2008 

On Tue, Nov 18, 2008 at 11:19 PM, Shawn Walker <swalker at opensolaris.org> wrote:
> Luis de Bethencourt wrote:
>> On Tue, Nov 18, 2008 at 11:07 PM, Shawn Walker <swalker at opensolaris.org> wrote:
>>> Luis de Bethencourt wrote:
>>>> That said, we shouldn't accept binary built in an untrust worthy
>>>> machine. The process we define has to make submissions be built in our
>>>> controled systems. How Launchpad works.
>>> Being aware that a "trustworthy machine" is highly dependent upon the
>>> machine, the person using it, and so forth.
>>>
>>> Again, don't forget the exception cases.
>>>
>>> I don't think anyone here is suggesting that only certain people can
>>> build software.
>>>
>>> If we are, that's sort of silly, since we can't distribute the workload
>>> if we do that.
>
>> Can you define distribute the workload?
>
> I'm not talking about the CPU compilation, etc.  I'm talking about
> "people resources" needed to re-do work that's already been done.  Hence
> my reference to certain people doing the build.

Not if the package is built automatically by the system. If it comes
out of the blue it goes to pending, if it is trusted member approved
to contrib. I don't see re-doing work there, and avoiding people lose
time will keeping a trustworthy system is our greatest objective.

>
> For example, if someone contributing a package has been trusted with
> access to a build system, they should be able to build it on that system
> and publish it with approval instead of someone else having to do so.
>
>> As far as I know all Linux distros have a build machine in the
>> official repo (the one that gets mirrored) and nobody complains. I
>> wouldn't trust a deb package built by someone I don't know and that I
>> can't check the sources. The exception to this is gentoo, which makes
>> the users be their own build systems in most of the cases.
>
> But you are trusting people you don't know and hence why the Debian
> OpenSSL debacle happened.

To become a Debian Developer you not only need to pass a technical
interview about packaging and open source licenses, legalities and
such. You need an other Debian Developer to meet you in person and
sign your GnuPG key, which you then have to sign all your
contributions with.

OK, then you don't double check all the work of trusted people. But
this is very far from just letting anything in from anywhere. And in
Debian you do have to send the sources to be built in the official
machine, you have to use dput to push the packages in, and dput
forcefully send the source package.

Luis

>
> --
> Shawn Walker
> _______________________________________________
> indiana-discuss mailing list
> indiana-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
>



-- 
Luis de Bethencourt Guimerá
luisbg
<luisbg at ubuntu.com>
GPG: B0ED1326

More information about the indiana-discuss mailing list