On Thu, Feb 13, 2003 at 11:42:12PM -0600, Steve Langasek wrote:
> What are we going to give up to get developers to spend this time
> auditing their packages? Package count? QA? Maintainer sanity ("job
> satisfaction")?
> Flamewars? :)
(What QA would that be, exactly?)
I'd be quite happy to give up package count in favour of reducing known
and demonstrated security risks, and to encourage new maintainers to help
maintain existing packages, than uploading, eg, a new version of which.
> 1-2 hours per upstream
> release per package can add up rather quickly.
Really? micq's had releases at:
0.4.9 2002-06-10
0.4.9p11 2002-06-24
0.4.9.2b 2002-08-10
0.4.9.3 2002-08-27
0.4.9.4 2002-10-03
0.4.10 2003-01-07
0.4.10.1 2003-01-25
The hour I spent scrolling through diffs was between 0.4.9.4 and 0.4.10.1,
for reference. Which would indicate that it adds an hour a month, roughly.
That doesn't seem that quick.
> > > We are very much exposed where upstreams are concerned, and the
> > > best way to protect against that is to make sure we know and trust our
> > > upstreams (and, be able to know and trust the origins of the tarball
> > > we're downloading).
> > This isn't possible. For example, we'll lose a lot more software if we
> > drop every upstream that doesn't have an md5sum file that's signed by
> > a key connected to our web of trust, than if we just insist on maintainers
> > auditing every update they do to their package.
> And if we already have trusted, signed md5sum files?
For micq, we don't. Likewise, we don't have that for CVS pulls.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``Dear Anthony Towns: [...] Congratulations --
you are now certified as a Red Hat Certified Engineer!''
Attachment:
pgpzwdTHImaJC.pgp
Description: PGP signature