Let's close the remaining merge reviews
Josh Boyer
jwboyer at fedoraproject.org
Tue Mar 25 13:48:17 UTC 2014
On Tue, Mar 25, 2014 at 9:43 AM, Matthew Miller
<mattdm at fedoraproject.org> wrote:
> On Tue, Mar 25, 2014 at 09:29:12AM -0400, Josh Boyer wrote:
>> > I like the idea of actually revisiting the list and deciding what to do,
>> > although pulling them out of the repository seems unnecessarily drastic.
>> This always winds up being the suggestion. Nobody actually does
>> anything about it. I'd only be supportive of this on two conditions:
>
> Well, I was looking through the list.... there are some important packages
> in here, including gcc, nss, samba, httpd, and a lot more. And tcp_wrappers.
> :) Many of these really deserve the attention.
I find that difficult to believe given that they haven't had said
attention in 7 years and stuff is still working.
>> 1) Actual bugs impacting actual people as a result of an improper spec
>> file were present
>> 2) One of the bodies responsible for packages in Fedora (FESCo, FPC,
>> ?) agreed to conduct audits across all packages for guideline
>> adherence at regular intervals.
>>
>> I'd be willing to not require item 1 if item 2 were actually done. It
>> never has been, and if it had it would already suffice for the purpose
>> the merge review tickets would serve today.
>
> I don't think that we need to do it across *all* packages. I'd like to see
> it done initially for all packages that end up part of the base design.
> That's a more manageable chunk and will focus the effort where it will have
> the most benefit.
Under the premise that some is better than none, OK. I have doubts
that regularly scheduled _recurring_ audits will actually be done at
all for any set of packages though. The argument is always lack of
people doing it. The solution is automation. The argument against
_that_ is lack of people doing it and complexity to do it properly in
an automated fashion.
Vicious cycles are vicious.
josh
More information about the devel
mailing list