Re: RFC: Central version control for Debian

To: debian-devel@lists.debian.org
Subject: Re: RFC: Central version control for Debian
From: Bart Schuller <schuller@lunatech.com>
Date: Thu, 1 Feb 2001 10:22:56 +0100
Message-id: <[🔎] 20010201102256.A16807@tanglefoot.lunatech.com>
In-reply-to: <20010131234000.V899@alcor.net>; from mdz@debian.org on Wed, Jan 31, 2001 at 11:40:03PM -0500
References: <20010129165414.L2501@alcor.net> <20010129225914.A488@emancipation> <87y9vt1c2h.fsf@mose.informatik.uni-tuebingen.de> <20010130170738.B899@alcor.net> <20010131234000.V899@alcor.net>

On Wed, Jan 31, 2001 at 11:40:03PM -0500, Matt Zimmerman wrote:
> - Repackaged upstream source (DBS and similar).  Unfortunately, this includes
>   several important packages, especially in the context of a security audit:
> 
> gcc-2.95        libnss-db       pam             silo
> glibc           openldap2       ppp             yaboot
> gpm             openldap        shadow          zlib
> 
> I don't know what to do about this last set of packages.  Perhaps maintainers
> of these and similar packages would like to speak up about what they gain from
> using such a format, and how we can come up with a solution that meets their
> goals without compromising a CVS effort.  As far as I know, these benefits

Tell us again why you are basically taking over these packages from
their maintainers.

What is it that makes it easier to audit gcc-2.95 and silo by having
them in the same CVS repository?

I just don't get it. If a piece of software could use a security audit,
who is the first person to talk to?

    The upstream maintainer

And the second person?

    The Debian maintainer

What is it that made you jump these two steps? We've seen that the
OpenBSD approach amounts to a fork, and you are trying to do the exact
same thing.

Yet I have a huge filesystem with CVS checkouts from all kinds of
different projects, all living nicely together. I'd have to look into
the CVS/Root files to find out whether they belong to the same
repository. What makes this setup so different from what you're
proposing?

Instead, what would be useful is a database with a subjective evaluation
of every package with regards to security. Anyone so inclined could then
pick a package and start contributing *to the upstream source*. Because
that needs to happen sooner or later anyway.

-- 
The idea is that the first face shown to people is one they can readily
accept - a more traditional logo. The lunacy element is only revealed
subsequently, via the LunaDude. [excerpted from the Lunatech Identity Manual]

Reply to:

Follow-Ups:
- Re: RFC: Central version control for Debian
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: makedev bug (not fixed yet)?
Next by Date: Making of .deb packages?
Previous by thread: Re: makedev bug (not fixed yet)?
Next by thread: Re: RFC: Central version control for Debian
Index(es):
- Date
- Thread