Let's close the remaining merge reviews

Josh Boyer jwboyer at fedoraproject.org
Tue Mar 25 13:48:17 UTC 2014


On Tue, Mar 25, 2014 at 9:43 AM, Matthew Miller
<mattdm at fedoraproject.org> wrote:
> On Tue, Mar 25, 2014 at 09:29:12AM -0400, Josh Boyer wrote:
>> > I like the idea of actually revisiting the list and deciding what to do,
>> > although pulling them out of the repository seems unnecessarily drastic.
>> This always winds up being the suggestion.  Nobody actually does
>> anything about it.  I'd only be supportive of this on two conditions:
>
> Well, I was looking through the list.... there are some important packages
> in here, including gcc, nss, samba, httpd, and a lot more. And tcp_wrappers.
> :) Many of these really deserve the attention.

I find that difficult to believe given that they haven't had said
attention in 7 years and stuff is still working.

>> 1) Actual bugs impacting actual people as a result of an improper spec
>> file were present
>> 2) One of the bodies responsible for packages in Fedora (FESCo, FPC,
>> ?) agreed to conduct audits across all packages for guideline
>> adherence at regular intervals.
>>
>> I'd be willing to not require item 1 if item 2 were actually done.  It
>> never has been, and if it had it would already suffice for the purpose
>> the merge review tickets would serve today.
>
> I don't think that we need to do it across *all* packages. I'd like to see
> it done initially for all packages that end up part of the base design.
> That's a more manageable chunk and will focus the effort where it will have
> the most benefit.

Under the premise that some is better than none, OK.  I have doubts
that regularly scheduled _recurring_ audits will actually be done at
all for any set of packages though.  The argument is always lack of
people doing it.  The solution is automation.  The argument against
_that_ is lack of people doing it and complexity to do it properly in
an automated fashion.

Vicious cycles are vicious.

josh


More information about the devel mailing list