updates-testing --> updates policy discussion
Warren Togami
warren at togami.com
Sat Jan 10 09:46:13 UTC 2004
Massive headache...
Jesse Keating wrote:
> On Thursday 08 January 2004 16:15, Warren Togami wrote:
>
>>http://www.fedora.us/wiki/PackageSubmissionQAPolicy
>>We need to discuss how to change this procedure for Legacy specific
>>packages.
>
>
> Post message to either "fedora-legacy-announce" or "fedora-legacy-devel"
> about a suspected vulnerability or bugfix that you'd like to fix.
I agree with fedora-legacy-devel, but fedora-legacy-announce is for
official announcements of the Legacy project, like security advisories
only. Right? Well that's what I would expect anyhow...
>
> Use "FedoraLegacy Package Naming Guidelines" instead of generic
> fedora.us guidelines
Of course.
>
> Fix the numbering scheme... 1,2,3,4,1,2,3,4 ? why start over? Move the
> signing from before the optional rpmlint to after the option rpmlint.
>
The formatting of the document isn't important in this discussion. The
actual process is.
> 2 initial keywords. "updates-testing" or "updates", and "security" or
> "bugfix" to indicate what type of update it is.
>
> Change "fedora-package-announce" to "fedora-legacy-announce".
>
Exactly.
>
>>We also need to change the definition of "trusted" for Legacy
>>specific packages, along with the requirements for reaching the
>>"trusted" status.
>>
>>Thoughts?
>
>
> Trusted could be a term given to those developers who've put forth and
> followed through with a certain number of security fixes in packages.
> I'd say untrusted == 0-5, semi-trusted == 6-9, trusted == 10=+. A
> package can inherit it's trusted status from the developer who puts if
> forth. Now where we use the term or what it really means to the end
> users is yet another point of discussion.
>
I'm not sure how to respond here except to say I have a bad feeling
about this. I am realizing that it was a bad time to ask this specific
question.
Giving hard numbers for thresholds of "trust" IMHO is a mistake. You
cannot earn "trust" by mechanically doing a set number of tasks. It
could even be dangerous to make such a policy.
"Trust" is something that you earn through dedication and hard work.
Trust is not something that can be given cold, quantized numbers.
http://www.fedora.us/LEGACY
These are the folks that gain trust. Those who spend hours doing boring
work of porting patches, building and testing packages for a lazy
userbase waiting for a free lunch - someone else to do the work for them.
Hard work and dedication is what built the "trusted" group in the
original fedora.us project, and I would suggest doing the same here.
Follow the process, and review the patches. That is the only way we can
get these packages published.
Warren
More information about the fedora-legacy-list
mailing list