Hi there! During the last web-apps meeting we decided that we would like to further discuss the upstream requirements a package needs to fulfill in order to be added to the portage tree by the web-apps team.
The current proposition is specified here: http://svn.gnqs.org/projects/gentoo-webapps-overlay/wiki/UpstreamRequirements In my discussion with Stuart this morning I did realize that there are not too many packages available that would actually meet these criteria. So far we probably have around five in the portage tree. The main blocker are the security requirements since many projects do not provide special security contacts or mailing lists devoted security. For some projects this probably implies that they actually don't care too much about security. It is clear that it is not appealing for the web-apps herd to care for a high number of unsafe packages in the tree especially since web-applications by their very nature should be much more secure than many applications only used locally. A high number of security bugs or a slow response to these will not shine the best light on our distro. So reliable security information from upstream would help the web-apps team to react in a prompt and timely fashion when a security issues arises. On the other hand we would probably be forced to reduce the tree to a small number of web-apps if we enforce the requirements very stringently which might not be very appealing to our users. I also had the impression that one of the packages that has been a mojor problem last year (phpBB) actually nearly fulfills the current requirement proposals (at least to a greater extend than many of the smaller packages) but nonetheless has caused quite an amount of grief. Having bugs tracker, announcement lists and security mails might not always cover up for direct experience with the project itself. So I would suggest that we enforce the current proposal in the all cases where we do not have a developer in our herd actively using the package. I think that any dev's of our herd that actively uses a package is probably a better source of information about the security of the package than the mailing lists of the project. At least as long as I assume that we care a lot more about the security of our servers than the average user. But I believe that's a safe bet. If there is no dev with an active interest in the package all we have are the information from upstream. In this case I do believe the requirements make absolute sense. My .2 cents :) Cheers Gunnar -- Gunnar Wrobel Gentoo Developer __________________C_o_n_t_a_c_t__________________ Mail: [EMAIL PROTECTED] WWW: http://www.gunnarwrobel.de IRC: #gentoo-web at freenode.org _________________________________________________
pgpk6JQwO1Z44.pgp
Description: PGP signature