Re: Packaging group on salsa for OpenSBI and/or RISC-V?
On Fri, Jun 7, 2019 at 5:18 AM Vagrant Cascadian <vagrant@debian.org> wrote:
> It's my username on salsa (and in the Debian project); all users on
> salsa have such a namespace.
i'm not using mine because i've witnessed too many problems in too
many projects, over the years.
> I see it as valid a place to put personal or work-in-progress projects
> or repositories from which to propose merge requests into repositories
> you don't have access to... rather than having to create a group for
> each new project regardless of weather it goes anywhere...
yes, this is perfectly reasonable. the issue comes when people begin
to assume that the personal repositories are "official" (which, on
github, happens all the time. in one famous case involving
archlinux, a hacker actually re-registered a user's account after the
original user pulled the entire codebase, inserted spyware into an
identical repo, and the resultant spyware went *directly* into
archlinux's binary repository).
the worst - and most damaging because it is so prominent and
prevalent - example of proliferation of personal repos i've ever
encountered is both the marlin firmware and the reprap firmware. both
have absolutely no team management / team collaboration whatsoever,
with the result that users actually have to create their own git
repository and manually merge patches from multiple disparate sources.
> For long-term maintenance I already proposed to move the "opensbi"
> packaging repository outside of my user's namespace, so no need to
> convince me of that.
:)
> Another option I forgot to mention on the initial question was to host
> it in the "debian" group, where all Debian Developers have access.
>
> That pretty much leaves three options:
>
> * create a riscv group (or risc-v, riscv64, riscv-packaging, etc. ?)
> (presuming trademark issues aren't a blocker)
(not a blocker: more, "something to be wary of", learning from the
lesson of the firefox - iceweasel - debacle)
l.
Reply to: