Hi Léo,

Léo Le Bouter <lle-b...@zaclys.net> writes:
> The people that work on it now are Raghav and me, and Raghav does not
> have commit access yet, so that's the only way we can work and
> cooperate now. We don't have a choice.

Sorry, but that's simply false.  You _do_ have a choice.  You can do
what we've been doing in the Guix community for years: as a committer,
_you_ can commit the work of non-committers on their behalf.  If not
you, then any of the other ~64 Guix committers can do so.

Needless to say, before committing, you must review the proposed
patches, for the sake of your reputation.  The fact that you must do
this is a *feature*, not a bug.

> I don't feel like people should be barred to contribute to that GNOME
> 40 upgrade because they arent an approved committer. That doesnt feel
> inclusive to me.

No one is "barred" from contributing.  Raghav and many others without
commit access have been successfully contributing to Guix for years.

I understand that it's inconvenient.  Naturally, you would like to
eliminate that inconvenience.

The thing is, the work of non-committers *must* be reviewed at some
point, anyway.  Moreover, a committer must take responsibility by
digitally signing it.  To eliminate either of these steps would put us
at risk.

There's no guarantee that the work of Guix committers will be reviewed
by anyone else, because no one else's reputation is on the line.  Some
of us try to keep an eye on things, but I would not bet on that
oversight being comprehensive.  I'm certainly not doing it
comprehensively.

With this in mind, I think that we *should* have a high standard for
committers.  The security of our systems, as well as Guix's reputation
as a project, depends upon the good judgment of _every_ Guix committer.

Observe what can happen with projects that are too lax:

  
https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/

> Why would it not get adequate oversight? It's just an easier way to
> collaborate on patches, but the patchset would be sent over to guix-
> patches before getting merged to master or else.

Upgrading GNOME is not trivial.  It will be a large patch set.  A large
patch set presented to guix-patches when the branch is ready to merge is
far less likely to get careful review than if the review is done a few
commits at a time.  That's because, at any given time, it's easier to
find Guix developers with a few minutes available to carefully review a
small handful of commits, than to find developers prepared to review a
non-trivial branch merge.  If they're reviewed at all, reviews of larger
code drops are more likely to be superficial.

* * *

In summary: it seems to me that working in an external repository with a
larger set of committers would not actually save time, because it would
merely postpone the required review work until the end of the process
when the branch is ready to be merged into Savannah.  Moreover, it would
likely reduce the quality of that review work.

Does that make sense?

    Regards,
      Mark

Reply via email to