Need advice pertaining to GSoC proposal

Debayan Banerjee debayanin at gmail.com
Thu Apr 2 11:47:46 UTC 2009


2009/4/2 James Antill <james at fedoraproject.org>:
>>  Because it came added by default in the distro. Because it
>> was mentioned on a Fedora website.
>
>  But neither of these are true. And they are that way for a reason, if
> it was a good idea to have Fedora trust one or more third part
> repositories for it's users ... Fedora would have already done it by
> installing the *-release packages for those repos.

I was not talking about 3rd party repositories above. I was talking
about official repositories.
>
>> Its the same thing with my approach. Users trust Fedora hosted sites
>> and they click on these 1 click install links only if its on a Fedora
>> site, and hence only add official repositories.
>> We need the trust-vote-ranking system only for 3rd party repositories.
>
>  So you want to create a category of "official third party
> repositories", ok fine ... go argue with FESCO for that, but I don't see
> a current technical limitation here (well none that you're saying you'll
> fix, anyway).

Its not official. Its users suggesting it to users, the way users
suggest Fedora to users as a good distro. Why do you not believe that
concept then?
>
>> >> http://www.cs.ucr.edu/~dperkins/projects/pk-oci/.
>> >
>> >  This was rejected previously due to not being secure, what has changed?
>>
>> On the security aspect you have the trust-vote system for 3rd party
>> repos
>
>  Which implies that Fedora host trusted/official third party repos. ...
> and that a voting system for trust is a workable idea.

yes, it is a workable idea, as Patrick. W. Barnes went to great
lengths to explain
<http://groups.google.com/group/redhat-summer/browse_thread/thread/50de9e16d5407b9c>
>
>> >  Why do you think votes (esp. those by users) and trust are related? I
>> > guess it's not a _terrible_ hint, but it's surely not a good one either.
>> >  We don't do Fedora package reviews by having everyone vote, so I don't
>> > see why we'd want to do the same thing for (expandable) sets of
>> > packages.
>>
>> Well downloading and installing packages is something any user does
>> and hence they have a right to vote for what they liked, like voting
>> for water they consume. Voting for package reviews should be done by
>> people who understand packaging, not by users who use them. Like
>> voting for the filtration process at the water treatment plant.
>
>  I think you are confused, voting for third party repos. is identical to
> voting for multiple package reviews (even worse, because packages can
> then be added after up votes).

No. I think you are being paranoid. Bad packages can be added after
votes, yes, and it will decrease the rankings of the repository soon.
You are saying you only trust yourself in the whole wide world. And
this paranoia is stopping Linux adoption at a certain point. you have
to let 3rd party, ISVs make software packages for users too. The only
thing we can then do is point the users to the right direction. I
understand you wont want to do even that, which is ok. But atleast let
people share their opinion among themselves.

>
>  If what you prose was possible and implemented then given a problem of
> "I want to make package X available to Fedora users" you could then do
> either:
>
> 1. Try to add the package to Fedora -- unlucky now I have to pass a
> review.

I understand review must be a difficult process since you consider
yourself unlucky to review.
> 2. Put the package in my own repo. and propose to add the repo. to
> Fedora -- lucky, now I get random users to up vote me (or just do it
> myself posing as multiple users).

Ok lets clear the confusion. 1) Official repositories are official
repositories. Maintain them the way you do currently. Dont care about
everything else. You carry on with your package reviews normally. 2)
Let ISVs, 3rd party developers package stuff and host their own
repositories. Ofcourse, they may be better than you. Users have the
right to decide.

And you concern about multiple-votes and all that was obviously raised
before too. Here was my argument:

" I was advised on the Fedora list by Patrick Barnes to use the voting
approach. I thought it made sense since it will keep evil people
(repositories) away
the same way wikipedia protects itself from evil people.
Also there may be admins, like me, who shall ban a particular
repository from the listings if it is found to be a malicious
repository. If a repo is getting too many good votes unjustly, a lot
of normal good people will also use it and finf it to be crap and vote
against. If a repo is evil, there *will* be several "do not
recommend" votes to it which will attract attention. "
>
>> >  Given that Fedora, as a distro., don't ship rpmfusion-free-release (for
>> > both legal and non-legal reasons) ... why do you think they will
>> > maintain this list?
>>
>> To help users remain safe.
>
>  Except if we did what you propose users would be much less safe.

yeah. So give them a weapon like trust-vote. The current model of
"trust only yourself, everyone else is the enemy" has an elastic limit
and is stunting Fedora's growth.
>
>>  To make users aware. And Fedora is not
>> recommending any repository at all. Its the users recommending it to
>> other users (reminds me of p2p). Fedora just hosts that opinion,
>> nothing else.
>
>  This is like arguing that Fedora could/should host an open bittorrent
> tracker and allow users to put anything in it, but sure go ask FESCO I'm
> sure they could do with a laugh.

Calling it a bit-torrent tracker is trying to create negative paranoia
about this proposal.
I call it a repository of public opinion.
And I was looking forward to feedback from more people on this list. I
already have a lot of feedback on the other lists, but this list is
really busy with development i think.
I chose this as my GSoC proposal knowing that it will be very
difficult to get passed through, and will involve convincing n number
of people from m number of lists, but its all worth it. It really is
IMO.
>


-- 
Be Intelligent, Use GNU/Linux

http://debayanin.googlepages.com/
http://debayan.wordpress.com
http://lug.nitdgp.ac.in




More information about the fedora-devel-list mailing list