| From: | Glenn McGrath <bug1(at)optushome(dot)com(dot)au> |
|---|---|
| To: | spi-general(at)lists(dot)spi-inc(dot)org |
| Subject: | Re: Pristine source archive |
| Date: | 2002-04-16 13:25:27 |
| Message-ID: | 20020416232527.1945edaf.bug1@optushome.com.au |
| Views: | Raw Message | Whole Thread | Download mbox |
| Thread: | |
| Lists: | spi-general |
On Mon, 15 Apr 2002 11:03:47 -0400
"Dale E Martin" <dmartin(at)cliftonlabs(dot)com> wrote:
> My thoughts about this proposal in general:
>
> 1) Distros won't want to upgrade simultaneously, so you'll end up with
> many versions of each application in the upstream repository. I.e. the
> union of all of the current archives (minus the duplication, of course,
> which is the current "problem" in the proposer's view.)
>
> 2) Not every distro uses the same set of tools, so you might end up with
> a bunch of different upstreams of the same applications. Certain tools
> (like"procps") seem like they have wide variance between distros -
> perhaps even being totally different upstream.
>
Good point, that could be a problem, hadnt thought of that.
> 3) The upstream repository would need more bandwidth than any current
> distro's source repository, since it would be getting mauled by the
> users of all of the distros.
>
For a site that was already mirroring the source of those distros it
shouldnt have a major effect bandwidth.
> 4) The source repository is a critical bit of infrastructure to any
> distro, and you'd be taking it out of their control. I'm thinking most
> of the distros would not like that, particularly the commercial ones.
>
Distro's that are participating would have to have upload rights to the
master site, deciding when to remove an app would be more of a problem,
there would have to be some automated way of determining when the source
is no longer required.
> 5) The current distributed nature is a benefit in many ways - redundancy
> being one of them...
>
> One of the things that would be cool about the proposal would be that
> the baseline tools common to all distros might be agreed upon, and then
> security auditing might be easier. Basically if everyone agreed that
> "sysvinit" version 2.84 was golden within some time period, then each
> distro could have some resources dedicated to security audits of the
> code. The proposed arrangement might make it easier to see the common
> codebases and track the usage...
>
A cleaner seperation between upstream source and the distribution modified
source would make it easier to audit the patches distributions add as
well. which is possibly a more dangerous place for an exploit to reside.
You raise some good points, i will need to look into it in more depth, try
and workout more closely what the composition of such an archive would end
up being.
Thanks
Glenn
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Wichert Akkerman | 2002-05-09 13:15:34 | Minutes for 2002-1-21 board of directors meeting |
| Previous Message | Dale E Martin | 2002-04-15 19:12:21 | Re: Pristine source archive |