On Fri, 5 Nov 2004 23:03:50 +0100 (CET), Dag Wieers wrote: > On Fri, 5 Nov 2004, Alan Cox wrote: > > > On Fri, Nov 05, 2004 at 06:20:42PM +0100, Michael Schwendt wrote: > > > > How can 4 people > > > > work together if only 1 person can make commits ? > > > > > > With "poor man's CVS" because of lack of CVS. When four people work > > > together, everyone of them can take the most recent src.rpm and either > > > submit patches or submit a modified src.rpm. And the others review the > > > changes and approve the package (unless they are trusted). > > > > Linux kernel works this way near enough. > > Well, I didn't say it was impossible. And that question is actually a poor > one, I admit. It's not really a problem that only one person can commit, > the problem is that it is hard for the other three to follow development > and you need much more communication to get things done. > > But let me rephrase: > > + You're only interested in the SPEC file and a few patches and the > changes to that SPEC file. In the best case see all the changes that > happened since the latest release and by whom. Then by all means, get in contact with the developer and ask him to either send you the spec or put it online. You do like e-mail. I know that. Suppose somebody takes your spec file and modifies it on his home machine. After several changes he's satisfied with the changes and creates a src.rpm. He opens a ticket at bugzilla.fedora.us and submits the src.rpm for inclusion in the repository. Maybe he even has a web server with a public yum repository, where he offers his selfmade packages. Meanwhile, a different developer has packaged the same software from scratch and submits another package, not noticing the older request. Now what should fedora.us do in such a case? The submitted src.rpms are still on a remote server, the packager's own web space. Suppose reviewers have seen the first package request and downloaded the src.rpm, to find out it seems to have severe problems and doesn't even build. In parallel, another reviewer notices the second submission and closes the ticket as duplicate. Now the two packagers meet eachother. Communication about how to proceed is absolutely necessary at this point, since two spec files and two packagers exist. It should be doable for them to agree on e.g. exchanging diffs or spec files, probably even outside bugzilla. And when they're done, one of them creates a src.rpm, the other one posts a utilisable gpg signed approval, and that is a big step towards getting it published. For updates, they agree to add themselves to Cc. Or they open a meta ticket in bugzilla, which they use for communication and a substitute of a package-specific mailing list. Do we really need to discuss the potential dangers of CVS commit access for everyone? > + The SPEC files are inside Source packages that are located on someone's > webserver (that at this time is even no longer available). Different > packages are on different servers by different packagers. Yes, of course. While everybody is permitted to open package request tickets and provide links to packages (even binary ones!) on external servers, all these have not been reviewed at all by someone other than the submitter. They are not content provided by fedora.us until they are published in the fedora.us repository. Submitted packages could contain malicious software, or, in a less worse scenario, major bugs which rm -rf / for people who would build them as root. So, what are you trying to point out? That fedora.us doesn't offer CVS commit-access for everyone? That no anonymous FTP/HTTP upload space is offered? A CVS server at fedora.us exists, and some packages are developed in it. But afaik it is not connected to the build system. So, final package submission remains bugzilla-based. And why are we discussing this when we wait for official Fedora Extras anyway? > + The only way to know the existence of such a project/package is to find > it in bugzilla and look for the different URLs of these packages. Surprise, surprise. Imagine somebody derived a SuSE Linux package from your spec file, cutting off the %changelog. You might never learn about that. Well, if we still had the fedora-package-announce mailing-list, you would subscribe there and learn about new releases. And no, there is no complete package CVS infrastructure at fedora.us. So, repeat it as often as you like, CVS is hoped for with official (i.e. Red Hat lead) Fedora Extras. > So it's rather hard to follow the development of a single package, let > alone follow the different developments of many packages. As a comparison, how would I follow pre-release development of your packages? Or alternatively, freshrpms? > At least with the kernel you take 2 trees and compare those and ou see > all changes. Here we're talking about at least 200 packages. (Or how many > are there in total now ?) Should be more than 400. -- Fedora Core release 3 (Heidelberg) - Linux 2.6.9-1.649 loadavg: 1.02 1.02 1.09