updates-testing --> updates policy discussion

Warren Togami warren at togami.com
Sat Jan 10 09:46:13 UTC 2004 

Massive headache...

Jesse Keating wrote:
> On Thursday 08 January 2004 16:15, Warren Togami wrote:
> 
>>http://www.fedora.us/wiki/PackageSubmissionQAPolicy
>>We need to discuss how to change this procedure for Legacy specific
>>packages.
> 
> 
> Post message to either "fedora-legacy-announce" or "fedora-legacy-devel" 
> about a suspected vulnerability or bugfix that you'd like to fix.

I agree with fedora-legacy-devel, but fedora-legacy-announce is for 
official announcements of the Legacy project, like security advisories 
only.  Right?  Well that's what I would expect anyhow...

> 
> Use "FedoraLegacy Package Naming Guidelines" instead of generic 
> fedora.us guidelines

Of course.

> 
> Fix the numbering scheme... 1,2,3,4,1,2,3,4 ?  why start over?  Move the 
> signing from before the optional rpmlint to after the option rpmlint.
>

The formatting of the document isn't important in this discussion.  The 
actual process is.

> 2 initial keywords.  "updates-testing" or "updates", and "security" or 
> "bugfix" to indicate what type of update it is.
> 
> Change "fedora-package-announce" to "fedora-legacy-announce".
> 

Exactly.

> 
>>We also need to change the definition of "trusted" for Legacy
>>specific packages, along with the requirements for reaching the
>>"trusted" status.
>>
>>Thoughts?
> 
> 
> Trusted could be a term given to those developers who've put forth and 
> followed through with a certain number of security fixes in packages.  
> I'd say untrusted == 0-5, semi-trusted == 6-9, trusted == 10=+.  A 
> package can inherit it's trusted status from the developer who puts if 
> forth.  Now where we use the term or what it really means to the end 
> users is yet another point of discussion.
> 

I'm not sure how to respond here except to say I have a bad feeling 
about this.  I am realizing that it was a bad time to ask this specific 
question.

Giving hard numbers for thresholds of "trust" IMHO is a mistake.  You 
cannot earn "trust" by mechanically doing a set number of tasks.  It 
could even be dangerous to make such a policy.

"Trust" is something that you earn through dedication and hard work. 
Trust is not something that can be given cold, quantized numbers.

http://www.fedora.us/LEGACY

These are the folks that gain trust.  Those who spend hours doing boring 
work of porting patches, building and testing packages for a lazy 
userbase waiting for a free lunch - someone else to do the work for them.

Hard work and dedication is what built the "trusted" group in the 
original fedora.us project, and I would suggest doing the same here.

Follow the process, and review the patches.  That is the only way we can 
get these packages published.

Warren

More information about the fedora-legacy-list mailing list