[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: An idea.... (Was: debfind.net (was: GNOME-HELIX))

On Fri, 30 Jun 2000, Clay Crouch wrote:
> If that should happen, how would we maintain QC?

Who is the "we" in this sentence?  If it is Debian, then taking on this
responsibility is actively sanctioning the development of .debs outside of
Debian.  I have not yet heard a compelling argument for why this should be

> How's about putting lintian functionality in APT itself such that
> it _quitely_ checks a deb during/after fetch for policy violations,
> and possibly for namespace conflicts. If violations are found, it
> warns the user that they might be about to break their system....

This, in and of itself, doesn't sound like a bad idea, although I'm not
sure what the technical ramifications are.

> Also, we could put enough GPG functionality into APT to check package
> signatures. If a package is not signed by a current Debian maintainer,
> the user is warned.

Again, useful anyway (e.g. in the context of NMU's,) and perhaps worth
pursuing as an end in itself.

> If APT finds either policy/namespace violations or non-signed packages,
> it prompts the user as to whether or not they _really_ want to install
> the package, and if they do, the install continues regardless of any
> breakage that may occur.
> I am not sure of all of the technical ramifications of such a thing,
> and I know that it would slow the apt-get process a bit, but would
> something like this be worthwhile?

Possibly, but not for the reasons you suggest.

> That way, we can keep 'official' debs that are almost certain to
> work corrrectly due to our QC policies, and still allow others to
> create their 'unofficial' repositories without causing _us_ any grief.

After following the whole GR debate, at first taking a moderate stance
that yes, something should be done about non-free, but finally being
compelled by the "status quo" arguments to change my mind, I do not think
unofficial repositories are good for the project.  If there are legitimate
sources of debs that are currently not in the archives, we should look to
ways of bringing them into the project, rather than accomodating for them
in this fashion.  This is not about being "control freaks".  It has
everything to do with ensuring not just "some" quality control, but the
*highest possible* quality control.  Why settle for anything less?  If
there is a way to ensure better quality control, we should go for it.  If
the packages are "unofficial" because they are "bad for Debian" (for legal
or whatever other reasons) then why sanction them?

    nSLUG       http://www.nslug.ns.ca      synrg@sanctuary.nslug.ns.ca
    Debian      http://www.debian.org       synrg@debian.org
[ pgp key fingerprint = 7F DA 09 4B BA 2C 0D E0  1B B1 31 ED C6 A9 39 4F ]
[ gpg key fingerprint = 395C F3A4 35D3 D247 1387  2D9E 5A94 F3CA 0B27 13C8 ]

Reply to: