The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why not to use CVS



Bruce Perens <bruce@pixar.com> wrote:
> One of the main advantages of Debian, and a major reason for its success,
> has been the decentralized maintainance of packages. A central CVS archive
> is a good thing to have for a single package that many people are working
> on. It's a bad thing to have for every package. 

I really don't see much difference in centralisation between a CVS tree and 
the current system.  Under the current storage is centralised at master whilst 
the maintenance and developement go on on local systems.  Under CVS storage is 
centralised at master whilst maintence and developement go on on local 
systems, when the maintainer/developer thinks their changes are ready they 
commit to master (or they pass proposed commits to master which seems no 
different than uploading to Incoming).



> The reasons are:
> 
> 	1. It is entirely unnecessary for the (desirable) goal of
> 	   building the entire system automaticaly from source. That can be
> 	   accomplished with source packages and a package-order list.
> 	   We are currently working on this for the various ports, and
> 	   will continue to do so.

This is not a reason to *not* use CVS, simply that it can be done without it.

> 
> 	2. It changes the basic system philosophy from decentralized to
> 	   centralized. This gives up one of the main differences between Debian
> 	   and *BSD, and a major reason for Debian's success.

See above on centralisation issues.

> 
> 	3. Do you really want someone other than the maintainer checking changes
> 	   into a pakcage? It becomes too easy for a rogue maintainer to slip
> 	   something into a package that doesn't belong there. Our current system
> 	   in which patches are sent to _one_person_ for inclusion in a package
> 	   (and hopefully are examined before they are applied) is more secure.
> 


Of course I wouldnt want someone untrusted having cart blanche access to the 
whole CVS tree, this is what restrictions are for.  CVS can handle this in 
several ways, one of which is simple Unix group/user file perms.
Now what if I'm particularly paranoid about security but like to use what is 
by many orders of magnitude the easiest way of upgrading packages - that is 
binary packages -, now I have to trust this "_one_person_", I'd much rather 
assess the risks/benefits of new code in the tree myself, afterall I know my 
security needs more than they do (in theory).  Now I can do this to some 
extent now with the new source standard, but the current source tree 
manipulation tools are so clumsy to work with that ascertaining how each 
change will affect *my* tree becomes a very large hassle.

> 	4. Access to master.debian.org is extremely difficult for many people who
> 	   don't happen to be in North America. Maintaining a central CVS archive
> 	   in any one location has the same disadvantage.
> 

This is a very big argument *for* CVS.  I assume you mean it is difficult for 
people due to bandwidth bottlenecks on international links to US?  CVS 
maximises available bandwidth.

Apart from these arugments, I seem to remember it mentioned that part of 
Debian's role was seen to develope new linux features that other distributions 
may or may not wish to pick up on.  Now I just checked the manifesto and 
couldn't see anything to this effect, so maybe its was a manufacture memory ;).
Anyways I think that whilst a packaging system is good (and btw there is no 
need to get rid of a packaging system if a move was made to CVS [although 
source packages *would* seem kinda redundant, there is still room for having a 
set of binary only packages]), I think we could offer some more choice in the 
linux distribution arena by offering a CVS source tree which could work in 
parallel with a packaging system, this would be (AFAIK) a unique Debian 
feature.  Considering lots of people thought the only difference between 
Debian and everyone else was dpkg, perhaps some more "product differentiation" 
wouldn't go astray.


Richard Jones.


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com