First I'd like to state that I do offer my opinion. You don't have to like it, but disqualifying it as flaming, while exactly doing this yourself, disqualifies you. I'd appreciate, if you would try to have a controversial discussion, without starting to loose your manners.
On Wednesday 02 August 2006 03:39, Brian Harring wrote: > 1) no security, > > Suggest you read their responses, and look into some of their material > (in particular their faq). > > Two levels. > > One, holding area (essentially). > Second level (what users get), is the reviewed branch. > > So... if you're arguing people can stick malicious shit into the first > level, yes, they could. > [...] You haven't read what I wrote, as I asked you to do. My point isn't that people add malicious ebuilds to the overlay. There're more subtle methods anyway, given that the tree still isn't signed. I wrote about vulnerablities in the upstream software, neither having a security team backing them up nor GLSA's to be written. > And... just cause I'm mildly sick of this bullshit, And I'm sick of people, who miss the point. > > 2) issues with eclass changes which will result in bug spam > > You're not supposed to change the exposed api of eclasses in the tree > (something y'all do violate I might add, which is a seperate QA > matter). Same issue applies to the 'official' overlays offered by > devs also, and to the tree in general. We can change eclasses all the time, assuming all relevant ebuilds in the tree get adjusted - just that no one cares for any overlay. > It's a reaching statement, bluntly. Using such an arguement has the > side affect of stating that no overlays should ever exist, because > they suffer the same potentials. Local overlays are fine as the user exactly knows what he does in his private overlay (and hopefully follows eclass changes), development overlays are fine (assuming the group of people controls the releavant overlays as well), overlays like Sunrise are problematic, not to use such anal words as you do. > > 3) the fact that sunrise is a bunch of arbitrary packages, instead close > > related ones managed by one team, that does exactly maintain relevant > > packages. > > What the hell do you think the tree is? It's a bunch of arbitrary > packages maintained loosely by subgroups of people; you're stating > that sunrise is too loose yet gentoo-x86 is fundamentally no > different. > > Sunrise is pretty much the same damn thing. Exactly that isn't right. No one cares for compatibility of the main tree (eclasses, conflicts between ebuilds with regards to installed files) and Sunrise ebuilds. Carsten
pgppgHR1KggPH.pgp
Description: PGP signature
