From: Max <max...@gm...> - 2010-09-02 17:57:39
|
Hi George Thanks for the explanations! Would you mind describing the procedure you use when testing packages? Despite Akuna's confidence in my abilities (thanks by the way! :-) as a packager, I realise that I am far from perfect. So I think it would be helpful, both for the dev team as well as those willing to help test, to have a standard way of testing so that package quality has a good chance of remaining at the high standard that has been achieved. Let's say I was to test a package posted on the bugtracker. If everything looked good, and the md5sum of the submitted package matched that of the package built by myself, I am guessing that would be enough for that package to be included in the repo directly? I say this as you're mostly uploading the packages you built as opposed to the ones submitted, so would it be necessary and/or desirable for me to upload the package I built too? Max On 28/08/10 11:38 AM, George Vlahavas wrote: > On Fri, Aug 27, 2010 at 10:19 PM, Max <max...@gm... > <mailto:max...@gm...>> wrote: > > / "I'm rebuilding and uploading my own packages instead of the > ones they submit anyway."/ > > > If that's the case, then when submitting packages for inclusion in > the repos would it be better just to submit a SLKBUILD instead of > uploading the entire package set (dep, md5, src, txz, log)? I > realise the need for quality control and respect the commitment > that you, as well as all the other dev team members, have made in > time and effort spent in building and maintaining both the OS and > extra packages, so please don't take this as some kind of cop-out > on my part as a packager! But if you're going to build and upload > your own packages anyway then what's the point of uploading > anything but the SLKBUILD (and source patches if necessary)? > > Uploading all files helps me in many different ways. Without the logs > I couldn't know if any package I built was built with the exact same > options as the packager did. I might be missing an optional dependency > for example, or building with an optional dependency that is not > actually needed or wanted. Also, I don't always upload my own > packages, especially with bigger packages it's a lot faster to > download straight to the repository from the packager's ftp, after I > match the md5sums with the packages I built myself, instead of > uploading from my own pc. > > > >From what you have said it also seems you are doing most of the > leg-work in maintaining the repos and packages. I don't know your > personal situation, but (and this is just a wild guess) I'm sure > that doing this by yourself must be tiresome in the least, and > probably also cuts into time that you could better spend doing > something else. Which also leads onto something Thorsten said: > > /"Rebuilding the packages is a really good idea, especially when > users come to the question: is the package source trusted? Every > packageer could add malware to the package that cannot be > detected. Furthermore it is important that the sources are > downloaded from their official sites and that patches are reviewed."/ > > Which is a good point and something that I hadn't thought about (I > guess I'm just not devious enough to think of something like that > :-). But, unless one is willing to do everything by one's self, at > some point others will have to be trusted to "pick up the slack" > if you pardon the pun! What if some sort of 'official' packaging > team was set up to help build/test/review submitted packages? That > way efforts could be spread more evenly without sacrificing > security to such a great degree, even more so if team members were > allowed only to review others packages and not their own. > > Anyone that wants to, can already help with all that by logging to the > bugtracker every once in a while and testing the packages that are > posted there. Not that many right now, but there will be lots of them > when we get a current repo and almost everything will need to be > upgraded. Unfortunately that is not a task that many people enjoy. > > > ------------------------------------------------------------------------------ > Sell apps to millions through the Intel(R) Atom(Tm) Developer Program > Be part of this innovative community and reach millions of netbook users > worldwide. Take advantage of special opportunities to increase revenue and > speed time-to-market. Join now, and jumpstart your future. > http://p.sf.net/sfu/intel-atom-d2d > > > _______________________________________________ > Salix-main mailing list > Sal...@li... > https://lists.sourceforge.net/lists/listinfo/salix-main > |