Hi, On Sun, 03 Jul 2022 at 12:38, Bengt Richter <b...@bokr.com> wrote: >> I do not think committers are pushing code about #1, #2 or #3 that they >> know beforehand it will cause a problem. > > Hm, -- unless <context-requirements-not-met> ... ? :) >
I do not understand what you mean? >> The GPG trust level works because it is based on the web of trust. >> Here, there is no web, IMHO. > > Well, guix developers who know each other well "in real life" have a pretty > good web, if not formal, no? :) Maybe I miss something. IIUC, you are proposing to attach a level of trust to each commit. If this level for one commit is set by one committer, then the outcome is poor because this level strongly depends on the committer. Committer A could say 0 and committer B would say 3 for the same commit, other said the level depends on who do the job; therefore it is too dependent on the committer mood to be useful, security-wise. In this case, there is no web of trust. If this level for one commit is set by more than one committer, then it is not affordable because it means we are doing double (or more) review when the project is trying to just deal with merging all the submissions. In this case, there is a web of trust. But it is not doable considering the rate of commits. > I'm just looking for some greppable coded hint of the difference between > a package that consists of e.g. a reverse polish calculator homework > assignemnt that a nerdy friend showed how to submit as a package, vs. > e.g. a package where the comments say over 10K subscribers have now been > running this hundreds of times daily for 2 months of beta testing with > no reported problems. Vs. This is alpha stuff, but seems harmless enough > if you run it in a container. Run OpenBSD. ;-) > I'm not asking any guarantees, just a professional's quick judgement. > Like a chef's quick opinion on the cantaloupes at the open market. Why this professional's quick judgment should come from the package manager (packager, reviewer, committer) and not from a community around the specific software whatever how it is distributed? Cheers, simon
