[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: Central version control for Debian



* Matt Zimmerman (mdz@debian.org) wrote :
> Recent discussions about auditing have gotten me thinking about Debian's use of
> version control (or lack thereof).  Currently, the situation is left in the
> hands of individual developers.  Many of them use CVS; some use other methods;
> some use no version control at all.
> 
> OpenBSD's best weapon in their auditing efforts is their CVS tree.  They have
> access to all of the code in one place, with a complete change history.  Why
> not set up something similar for Debian?  To start, uploaded packages could be
> automatically imported into 'source' and 'debian maintainer' branches.  This
> would, at the very least, allow for easy diffs between versions.
The BSDs use CVS for their core system. Ie kernel, basic system
requirements, that sort of thing.
you'll see the package tree is 
(a) fairly separate
(b) not full of packages anyway, just Makefiles and patches.

> 
> Eventually, it would be nice to allow maintainers to commit changes to the
> repository.  Things get much more complicated here.  Debian has a lot more
> developers than OpenBSD, and we seem to make changes much more frequently.
> Developers could easily step on one another's toes.  Package maintainers need
> to be able to ensure that they don't miss ANY changes that are made to their
> packages, lest unexpected bugs arise (or worse, malicious ones).
I think there would be too many problems with this idea.
1) who decides when to create branches, roll releases, etc? the
maintainer? the cvs admin? the release manager? some random
maintainer who wants a new ver of package foo because their
package has just been upgraded and it depends on a new version
of foo?
2) It's too easy to miss such a change. If you go on holiday for
a couple of days and someone checks in a security fix, and you
don't realise, that's going to be a fairly awkard situation for
all concerned. It's equally do-able with packages, I agree, but
cvs is a lot more immediate.
> Having such a tool would be a huge advantage for nearly everyone:
> 
> - The Security Team could create branches from older versions to backport
>   fixes, and easily extract individual changes (e.g. changes to a particular
>   source file between two upstream releases) and merge them in.
This is one thing that would really benefit from cvs.
> - Maintainers adopting orphaned packages would have access to the complete
>   history of the package, to help avoid repeating old mistakes, and to help
>   understand why changes were made.
That's what the changelog is for.
> - A hypothetical security auditing team could easily and methodically audit the
>   entire source tree.
*falls off his chair* Debian has ~600 developers. if each of
them only maintains 4 packages, each of around a megabyte of
source code ( a gross simplification, and doesn't take into
account things like X, emacs, gnome, kde etc). This is 2.4 gig
of source code. Not to mention documentation. 
> - Peer review could increase, as well as additional sharing and collaboration
>   between maintainers.
potentially. but everyone has access to the sources -  if they
want them, 'apt-get source blah' is no harder or less useable than
'cvs -z3 co blah' and you still have to send email/patches (assuming
politness and not just randomly applying fixes to cvs) to the
maintainer either way. 
> etc., etc.  The biggest barrier to making this work seems to be deciding who
> should be able to commit changes where.  CVS may not currently be flexible
> enough for our needs; it would be nice, for example, if certain users (the
> security team) were able to create a branch for a package, but not trample over
> the maintainer's current stuff. 
Tricky with CVS, i think. 
>Tracking is relatively easy; the official
> maintainer address could be sent mail whenever a change was committed to one of
> their files.
Infrastructurally it'll be fairly intensive I guess - it's
machine intensive because all commits have to be done to the
same source, so you can't distribute queues, you wind up with
two sets of source code for each package - one in cvs, one on
debian package mirrors - will you need anonymous access? if so,
will you want a network of anonymous mirrors, in which case, you
have yet more rsync traffic, etc...
> Comments?
See above. I think it's a good idea for the core of debian -
base system, installers, docs etc (all the stuff already in cvs
;) ) but for the packages it's a massive commitment,
and I can't see how you'd gain that much.
Just my £0.02
Cheers,
-Thom

Attachment: pgpzyVHZ8yHsO.pgp
Description: PGP signature


Reply to: