On Mon, Jul 22, 2013 at 04:29:20PM +0200, Michael Scherer wrote: > > And third, by increasing our engagement upstream, we can reduce our own > > work. For example, right now RubyGems.org doesn't do any validation of > > licenses, basic review for malware, or gem signing. If we knew that this > > basic diligence was happening upstream, we could extend our circle of > > trust. We've long had the mantra of "upstream! upstream! upstream!" for > > code and patches — we can do the same thing for packaging, for the same > > reasons and for similar benefits. (But to do that, we need to work with > > upstream packaging formats rather than demanding RPM — because > > experience shows that that doesn't work.) > I am quite doubtful about this part. > What interest most people pushing gems to github or anywhere is the low > barrier of entry. By pushing our contraints upstream directly, I think > we may go against the wish of those developers. We don't have to do it in a way that limits the barrier to entry. We can create a second level where certain gems are reviewed and signed, and a path to move to that level. Then, we can start demonstrating the advantages of being there. [Rest of message snipped, but only because it's all very good points to which right now I can only nod.] -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@xxxxxxxxxxxxxxxxx> -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
