Thorsten Leemhuis wrote: > Am Dienstag, den 16.05.2006, 09:41 +0200 schrieb Thorsten Leemhuis: >> Am Montag, den 15.05.2006, 13:14 -0500 schrieb Jason L Tibbitts III: >>> I think the committee should take up the idea of sponsorship for >>> package adoption without package submission. >> I send the following to the FESCo-List last week (it was in a similar >> context). >> [...] >> That would mean (a lot of) extra work for the sponsors. And that's why >> this idea probably will fail. Does anyone have a better idea? > > Well, maybe a slightly different approach might be easier: > > Package foo is orphaned. Bar is interested in taking it over, but he is > no Extras contributor yet. Sponsor foobar steps up and sponsors bar for > Extras cvs access (only cvs, bar gets *no* permissions to requests > builds in plague). Bar updates packages and sends foobar a note when > everything is ready. Foobar reviews the committed stuff and requests > build if everything is fine. If that worked fine for some update cycles > and some time in general bar gets fully sponsored and gets permissions > to requests builds. > Sounds like a good plan, except for one thing: -Assume I'm an evil bastard who wants to inject bad code into FE cvs -I say I want to unorphan a (few) package(s) and get sponsered -I update them (I've choosen easy ones) and request builds, sponsor is happy -In the mean time I also use my CVS access to inject some malwhere in a couple of much used often released packages. I circumvent the CVS change mails (yes thats possible, just hit ctrl-C at the right moment) -After some time the packages get build for one reason or another by their actual owner with my malware included. <OOPS> Then again I even have worries about this happening oneday with the current process. Thus what I do when I sponsor (sofar 2 people only) is look for other opensource contributions. If they have got CVS access to a couple of other projects they already have plenty chance to inject malware and thus probably wont (erm does that make sense?) But accept for the anove worries I like the idea in general. Actually I had the same idea before reading your mail :) Regards, Hans -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
