[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How much interest in a "debian-science.org" repository?



Am Mittwoch, den 19.07.2006, 20:20 +0200 schrieb Michael Hanke:
> On Wed, Jul 19, 2006 at 12:07:40PM -0400, Kevin B. McCarty wrote:
> > Dear list,
> > 
> > Currently there are a fair number of repositories of science-related
> > unofficial Debian packages out there.  I've been thinking that it might
> > make sense to consolidate them into a single site.  This would have
> > several advantages:
> - snip -
> 
> I think this is a great idea and Debian-science community could gain a
> lot with this central repository. But IMHO its success might depend
> on the details:
> 
> 
> 
> 1. What Debian versions will be supported (or what Debian derivatives)?

Interesting. I think, there could be ways to support both Debian and
Ubuntu (e.g. automatic rebuilding of packages, which compile without
changes under Ubuntu and Debian) and provide the package to Debian and
Ubuntu in two repositories. Backports might be more complicated.

[..]
> I know that some people simply do not care about Ubuntu,

I cannot speak for others. But for me the problem is: I can build my
packages for Ubuntu, but I cannot test them (and Ubuntu maintainers
maybe cannot test the Debian package). So the problem I see is: E.g.
automatic rebuilding is of course possible, but then you need people who
test the result and maybe fix issues. So every package needs a
maintainer for Debian and Ubuntu, when both Debian and Ubuntu should be
supported.

[..]
> 2. What are the requirements a package has to meet to be included in the
> repository (e.g. license)?
> 
> If a package is perfect in any sense it could obviously go directly 
> into the Debian archive.

That is indeed an interesting point: Should such a repository also be a
place to show the scientific package(s) and search for sponsors? Or
should it just be a place to put packages, which cannot go into Debian,
because of e.g. licensing issues?

[..]
> 3. Who will be able to upload packages?
> 
> If only DDs are able to upload packages the number of contributors is
> (unecessarily?) limited. But if the Debian-science repository aims to provide 
> the same quality and security as the main archive, there is no way around it.
> 
> If the repository is intended to be more open than the Debian archive,
> and I think it should be, then I see two possibilities:
> 
> 1. Everybody gets upload rights. This is simple, but might be the source
>    of serious trouble.

This is a bad idea. I would not trust such a repository and never
download a package from it. Who will check, that nobody packaged
malware?

> 2. Perhaps a procedure similar to Alioth would be a reasonable way to deal
>    with upload rights: Potential contributers explain what they want to
>    provide and get upload rights if they provide a solid explanation.
>    From that point on they have the right to upload new packages, but
>    not to upload new versions of packages already in the archive where
>    they are not (co-)maintainers. DDs might be an exception of the rule.
>    This should not limit the number of contributors and introduces a 
>    minimal protection against bad guys.

Maybe a sponsor-like way would be good. That means: DDs can check the
work of non-DDs. When they think, the package is OK, they should sponsor
the upload. During such a sponsor-time, sponsors can check the work and
maybe the intention of contributors. And if such a contributor is doing
his work correctly, he could be added to the list of allowed uploaders
directly and can then be a sponsor too. This of course needs a high
trust level.

> 
>    The main disadvantage is that somebody has to implement this.

Then this is just a question of an uploaders keyring.

But this is of course an interesting point.

Regards, Daniel



Reply to: