On Tue, Nov 09, 2004 at 08:53:21PM -0800 or thereabouts, Chris Haumesser wrote:
> Devs, what have you to lose by helping us do this? I don't think I
> understand the resistance, outside of the emotional reaction triggered
> by this thread's initiator.
The original fix suggested won't work for a number of reasons that I'm not
going to bother to re-hash here. I did suggest an alternate solution that
I think is going to work and Peter has agreed to write the code to
implement it.
This entire thread has been very demotivating to me as a Gentoo developer.
Please keep in mind that I donate my time because I enjoy what I do. I
think it's safe to say that all of the other developers share that same
motivation. If you take the enjoyment out of developing Gentoo, it's going
to die off rather quickly.
You can't expect to be placed on the same pedestal that a commercial vendor
will place you on because you, as a user, aren't providing the same value
(money) that you do in a traditional commercial transaction. Quite
frankly, a lot of the users out there are leeches who don't provide
anything back to the Gentoo community, but consume our software
nonetheless. That's fine -- I don't begrudge them because I do what I do
because I enjoy it. So, when taking a stand on what you feel to be an
important issue, keep this in mind: It does not matter if you are morally
right. It does not matter if the issue is serious. If you take the fun
out of developing this distro, Gentoo will die, period.
Anyway, enough preaching. This thread has gone on long enough. The
solution that's been agreeed upon is signing the daily snapshots that we
provide for users who can't use rsync. (/snapshots directory on your
favorite source mirror)
This provides the ability to verify the integrity of every single file
under /usr/portage/ and requires very little changes to our existing
infrastructure. emerge-webrsync will be hacked up to provide verification
support for it. I don't have any commitments from the portage devs that
these changes will be included (emerge-webrsync is part of portage) so this
may end up being an unsupported, use-at-your-own-risk solution. It does
not take away from or alter the plans to implement a much better, more
robust verification solution in portage itself.
--kurt
P.S. I do not want anyone to think that this solution is being implemented
because of the bitching and screaming that occurred. If someone had posted
a message to the list before all this broke out suggesting this solution
and volunteering to write the code for it, it would be in place by now.
That's another way of saying that we didn't have to go through all this
unpleasantness...
> Devs, what have you to lose by helping us do this? I don't think I
> understand the resistance, outside of the emotional reaction triggered
> by this thread's initiator.
The original fix suggested won't work for a number of reasons that I'm not
going to bother to re-hash here. I did suggest an alternate solution that
I think is going to work and Peter has agreed to write the code to
implement it.
This entire thread has been very demotivating to me as a Gentoo developer.
Please keep in mind that I donate my time because I enjoy what I do. I
think it's safe to say that all of the other developers share that same
motivation. If you take the enjoyment out of developing Gentoo, it's going
to die off rather quickly.
You can't expect to be placed on the same pedestal that a commercial vendor
will place you on because you, as a user, aren't providing the same value
(money) that you do in a traditional commercial transaction. Quite
frankly, a lot of the users out there are leeches who don't provide
anything back to the Gentoo community, but consume our software
nonetheless. That's fine -- I don't begrudge them because I do what I do
because I enjoy it. So, when taking a stand on what you feel to be an
important issue, keep this in mind: It does not matter if you are morally
right. It does not matter if the issue is serious. If you take the fun
out of developing this distro, Gentoo will die, period.
Anyway, enough preaching. This thread has gone on long enough. The
solution that's been agreeed upon is signing the daily snapshots that we
provide for users who can't use rsync. (/snapshots directory on your
favorite source mirror)
This provides the ability to verify the integrity of every single file
under /usr/portage/ and requires very little changes to our existing
infrastructure. emerge-webrsync will be hacked up to provide verification
support for it. I don't have any commitments from the portage devs that
these changes will be included (emerge-webrsync is part of portage) so this
may end up being an unsupported, use-at-your-own-risk solution. It does
not take away from or alter the plans to implement a much better, more
robust verification solution in portage itself.
--kurt
P.S. I do not want anyone to think that this solution is being implemented
because of the bitching and screaming that occurred. If someone had posted
a message to the list before all this broke out suggesting this solution
and volunteering to write the code for it, it would be in place by now.
That's another way of saying that we didn't have to go through all this
unpleasantness...