Re: RFC: Central version control for Debian
On Wed, Jan 31, 2001 at 11:40:03PM -0500, Matt Zimmerman wrote:
> - Repackaged upstream source (DBS and similar). Unfortunately, this includes
> several important packages, especially in the context of a security audit:
> gcc-2.95 libnss-db pam silo
> glibc openldap2 ppp yaboot
> gpm openldap shadow zlib
> I don't know what to do about this last set of packages. Perhaps maintainers
> of these and similar packages would like to speak up about what they gain from
> using such a format, and how we can come up with a solution that meets their
> goals without compromising a CVS effort. As far as I know, these benefits
Tell us again why you are basically taking over these packages from
What is it that makes it easier to audit gcc-2.95 and silo by having
them in the same CVS repository?
I just don't get it. If a piece of software could use a security audit,
who is the first person to talk to?
The upstream maintainer
And the second person?
The Debian maintainer
What is it that made you jump these two steps? We've seen that the
OpenBSD approach amounts to a fork, and you are trying to do the exact
Yet I have a huge filesystem with CVS checkouts from all kinds of
different projects, all living nicely together. I'd have to look into
the CVS/Root files to find out whether they belong to the same
repository. What makes this setup so different from what you're
Instead, what would be useful is a database with a subjective evaluation
of every package with regards to security. Anyone so inclined could then
pick a package and start contributing *to the upstream source*. Because
that needs to happen sooner or later anyway.
The idea is that the first face shown to people is one they can readily
accept - a more traditional logo. The lunacy element is only revealed
subsequently, via the LunaDude. [excerpted from the Lunatech Identity Manual]