New package cvs requests. opt out of cvsextras commit rather than in?

Thorsten Leemhuis fedora at leemhuis.info
Wed Dec 5 13:28:02 UTC 2007


On 05.12.2007 13:59, Lubomir Kundrak wrote:
> On Wed, 2007-12-05 at 13:25 +0100, Thorsten Leemhuis wrote:
>> On 05.12.2007 13:02, David Woodhouse wrote:
>>> On Tue, 2007-12-04 at 17:10 -0500, Todd Zullinger wrote:
>>>>  For those packages that want tighter control perhaps "Private
>>>> Commits" would be good wording.
>>> It would be nice if you also needed to give a _good_ reason for making
>>> it private. Perhaps even a reason which is approved by FESCo in advance.
>> "I fear that a just sponsored contributer puts something bad in one of
>> my packages" and "the CTRL+C trick in CVS still works, thus I as
>> maintainer might not even get a mail if someone changes my package(¹)"
>> are the reasons why I excluded cvsextras for those of my packages that
>> have co-maintainers.
> Why would he put something bad? Being malicious?

Yes. Sure, for most people the hurdle is likely to high to go that
route, but OTOH it a great way to get bad code out to lots of systems
quickly (and a way to ruin our fame)

> He can do that in
> different places also when he has a FAS account, is in cvsextras and can
> build packages.

Not exactly sure what you mean. His own packages? Sure, that's easy. But
as a malicious person I'd would likely take a popular package that more
users have installed *if* I have access to it.

> Being not experienced enough? [...]

We all make errors now and then. IOW: no, I didn't mean that.

> (btw that CTRL+C thing should get fixed, is there an
> infra ticket for it?)

There was one in bugzilla iirc; then there was one in OTRS and someone
looked into it, but it didn't get fixed; then infrastructure switched to
something else, and there is no current ticket I'm aware off.

>> OTOH I think we IMHO should have a group in FAS called something like
>> "experienced maintainers" with sponsors and long term contributers that
>> gets access everywhere; I trust those way more then a just-sponsored
>> contributer that came out of the blue.
> I'd say all sponsored people are "experienced maintainers".

So someone that just baked his first spec file in his life, got it
reviewed, himsel sponsored and the spec file imported is directly
"experienced"?

/me wonders if we are confusing the terms "sponsored people" and "sponsors"

> Those who
> are not experienced do post their work in bugzilla. At least I think of
> sponsorship should serve exactly this purpose, if you believe it is not,
> then it is unuseful and have to be dealt with somehow. If we solved that
> by separating the group further, we may end up with something like
> "extra most super experienced maintainers" groups.

Sure, but OTHO it's black (no access) and white (access everywhere)
might be a over simplification. Three or maybe four contributer-levels
(access to his own packages, access everywhere, sponsors, admins) IMHO
would be better and not that complicated.

Cu
knurd




More information about the fedora-devel-list mailing list