QA process was Re: RPM submission procedure

Fri Jan 9 17:14:27 UTC 2004

Lamar Owen:
> So you're talking about something similar to how Slashdot 
> moderation works with points.  Then if someone wants to run 
> untested code, they just drop their 'view level' to the 
> appropriate place.  If they want solid code, they raise the 
> threshhold and don't see the cruft.  In essence, at least.  I like >
your idea.

No absolutely not...we aren't talking about crufty comments we are
talking about QA..QA that impacts security of the codebase. I am a FIRM
believer that end-users do not care enough about security and its up to
the development side to do the correct amount of caring.
If you give people who do NOT know what they are doing, the easy
ability, to eat packages that have not be appropriately
peer-reviewed...might as well just stop trying to do QA at all...because
end-user ASSUME that just because its in an rpm...its worth installing
and have no regard for security what so ever. Un-QA'd binaries should
not go into a repository. Users who do not know enough to roll their own
binaries, should not be expected to self-select what level of codebase
is appropriate for them...because frankly that have no real claim to
understanding what is appropriate. User who are infused with clue...can
follow-up on the transparent QA bugticket...find the src.rpm listed that
needs review and roll their own and be a part of the QA effort.

> I think that trusted people should be able to vote negatively too; > a
trusted person might +1 in error occassionally.  Or maybe the 
> trusted person has an interest in seeing a favorite package go 
> through quickly (one would hope not, 
> but facts are facts, and people sometime lose sight of the big picture when 
> their pet idea or package is under fire).

What does marking someone as "trusted" mean then? Trusted people are
well.... trusted to do the right thing consistantly. A trusted person
earns 'trust' status by showing through multiple and consistent
application of the guidelines while untrusted. There is of course going
to need to be review and intervention in the 'corner case' of when a
trusted person goes postal. But the whole point of deeming someone
'trusted' is to...trust them. It should be pretty clear from the way
people interact on on QA bugtickets about whether they 'get it' and are
following the guidelines and allowing for reasonable discussion about
the technical merits of the packaging before marking something publish.

-jef"for the sake of signal to noise ratio...and to prevent slipping
into a "taste great/less filling" round robin conversation...I'm
implementing a 2 post personal limit on my replies to people in a
thread. So in this case this counts as my first reply to Owen in this
thread..I have at most one more reply and then I'm not going to reply
back in this mailinglist to Owen on this topic. And in the future I will
try to follow this guideline as much as possible to avoid getting stuck
in long threads that are doing nothing but encouraging people to ignore
the list completely. Feel free to ping me off list to remind me if I've
stepped over my personal limit in the future"spaleta