Re: Ubuntu needs a new development model

[Ryan Oram]

On Mon Jun 14 11:23:03 BST 2010, Matthew Paul Thomas  wrote:
>We're making a small step towards this in Maverick, with the ability for
>application developers to submit packages for an Ubuntu version after
>that version has been released.
>

Hmm, it doesn't cover application updates, only *new* applications. It
seems also a bit process and red-tape heavy ATM, but that stuff can be
moderated later on.

It's a step forward to say the least, but I'm disappointed that it
doesn't cover application updates.

-

I think leaving maintenance of the end-user applications to the
developers will free up a ton of resources so the Ubuntu developers
can focus on making the core OS stable. In addition, it also removes
the major reason for having a new version of Ubuntu every 6 months,
making a yearly release possible, something many have been clamoring
for (http://tinyurl.com/ubuntu-standard , the original seems to be
down). This will give the developers of Ubuntu more time to test the
OS.

I feel that having the applications updated and distributed separately
from the core OS releases will result in a more stable distribution.
I'm happy that Canonical and Ubuntu are considering this path, but
perhaps you should go a little bit further.

Thanks,
Ryan

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Matthew Paul Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ryan Oram wrote on 05/05/10 23:44:
> 
> Ubuntu needs a change in direction. I propose that Ubuntu adopt a
> development model where only the core operating system, userland, core
> libraries, and desktop environment are frozen every 6 months. The
> applications would then be freely updated to the newest versions at
> all times. Package maintenance and support for the end-user
> applications would be provided by the developers themselves.
>...

We're making a small step towards this in Maverick, with the ability for
application developers to submit packages for an Ubuntu version after
that version has been released.


- -- 
Matthew Paul Thomas
http://mpt.net.nz/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwWAwYACgkQ6PUxNfU6eco1qgCeLRqJg0O3ncnkfCpBfy5xw97K
0SMAoK29ErzkipZrgAgnBckCWX0nAcq1
=igGU
-END PGP SIGNATURE-

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Michael Bienia]

On 2010-05-06 21:42:40 +0100, Dmitrijs Ledkovs wrote:
> Debian is not using public gpg servers. Instead they maintain their
> own keyring shipped in the debian-keyring package. You cannot add
> signatures to that from non-dd's. And DD's are only keeping real
> signatures on their keys from key signing parties.

That's not fully correct. The keys from DDs are also on the public keys
servers, but a key has to be in the seperate managed debian-keyring to
have upload rights to Debian. The membership in this keyring is
important, not the signatures on the key.
Of course it is possible to sign a key of a DD without being a DD
oneself. I've signatures from DDs on my key and also have signed their
keys (without being a DD).

And as the keys are on public keyservers, you have no control on the
signatures on your key. But you can tell gpg how much you trust (or not
trust) a key. And only trust other keys if they have signatures from
trusted keys.

Michael

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Martin Owens]

On Thu, 2010-05-06 at 16:23 -0400, John Moser wrote:
> Which brings us back to trusting people.

I'll ignore your over the top theatrics and merely posit that perhaps
solving the problem of trust can only really be tacked once you've got a
firm grasp of human dignity.

Most people are not out to get you, you just need a proper system of
reputation that can signify the trustworthiness of someone you don't
know through the people you do.

I've often said that I think PPA keys shouldn't be added until the user
has had a chance to look at a well designed page about the signatory and
their connections to other people and organisations.

As I said, the tools we have a insufficient and the workflows we have
are immature, but don't just sit there with your hands under your bum
telling me it's not possible and we should give up.

Martin,


-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Dmitrijs Ledkovs]

On 6 May 2010 21:23, John Moser  wrote:
> On Thu, May 6, 2010 at 4:07 PM, Dmitrijs Ledkovs
>  wrote:
>
>> http://en.wikipedia.org/wiki/Web_of_trust
>>
>> The thing that all packages in debian rely on to prove that they are 
>> authentic?
>
>
> He said easier to trust PEOPLE.  Look at the PGP web of trust, people
> with dozens or hundreds of signatures on their PGP public keys.  When
> I was using GPG for a year to sign my e-mails, I re-downloaded my
> public key from the key server and had found that some 15 or so people
> that I'd never heard of had signed my key.
>

Debian is not using public gpg servers. Instead they maintain their
own keyring shipped in the debian-keyring package. You cannot add
signatures to that from non-dd's. And DD's are only keeping real
signatures on their keys from key signing parties.

> Your first response to this is going to point out that Ubuntu could
> trust only keys signed with keys that themselves are signed with an
> Ubuntu Master Key or some such; so maybe Martin's key is signed by

My response is to not use public gpg keyservers as authorative source
of keys & signatures

> Canonical, Inc and Martin signs your key, so you're valid.  You sign
> another key, that is still called "untrusted."  Thus, we don't have
> the crazy uncontrolled mess described above.
>

That's more inline with SSL keys with CA keys and so-on. Debian does
self-signed onces, then sign it by gpg key =) cause CA keys are imho a
bit of mess and I can't really trust them for distributed nature.

> Which brings us back to trusting people.
>
> Out of the hundreds, thousands of people that you want to incorporate
> into your trust hierarchy, how do you determine which can be trusted?
> Who is talking their way through you, showing good work, uploading
> hundreds of excellent packages with stopgap patches or well-requested
> features and things that won't go into Main or will go in later; but
> in secret, really waiting for a good time to slip malware into a
> package?
>

I don't recall that this ever happened with ubuntu or debian to the
point that it got distributed to users. Plus there is hiearchy of
human review of all packages which go into the archive. Such things
will be noticed very quickly.

> It doesn't have to be patches they wrote; could be a -ck kernel or a
> kernel with a piece from -mm, or a patch onto Gimp that's gained
> popularity but nobody felt fit to pay attention to, or any other
> 3-seconds-of-work patching process.  More than 3 seconds?  Oh, this
> one I hit a bump with, I think I'll just discard it; I've got plenty
> of other "work" to show.
>

you lost me here.

> The smoke and mirrors is a bit complex; but we're talking about a
> threat that essentially amounts to "someone wrote, compiled, packaged,
> tested, and uploaded a piece of malware to a repository they needed
> special permission to join."  This is not a fat businessman pushing
> the "SPAM THE WORLD" button.
>

I maybe be wrong but there are about 200 people with upload rights to
ubuntu archive. It's not so hard to know 200 people. Most of these
people are putting their reputation and work prospects when they sign
a package for upload. One such incedent can invalidate years of hard
work in open-source. I don't think there are people motivate enough to
cause such a thing.

> Every time someone suggests finding a way to trust people more (or in
> this case, trust more people), God laughs at them.  A lot.  The only
> way to fully trust an individual is to hang a camera and a turret
> above his head constantly, and even then you can't be sure; the only

How does that help to read someone's mind? I don't follow.

> way to improve how much you can safely trust someone is to devote
> resources to learning about them on a personal and technical (i.e.
> background check) level.  When you add hundreds of developers or just
> random people to a project, with direct access, you WILL have
> problems, and you WILL hand access to people who desperately don't

All people are already filtered like that. The suggestion here is that
you can extend this model to unofficial repositories and allow users
to connect to those easier.

You might want to look at openSUSE buildservice which allows 1-click
install of packages from any random user's published repositories.
They even kind of hide the fact that it is a team or person they just
display a catalogue with package names and versions.

> need it.  This is why the Linux Kernel has 30,000 developers and all
> of 1 or 2 people with commit access (Linus and who else?  Drepper and
> Andrew maybe).
>

Everyone has commit access to linux tree. Go clone it and commit.
Every linux based distribution are maintaining forks with custom set
of patches applied & different compile settings. If you think about it
this way there are 100 of activly maintained forks which are
distributed to users without explicitly going through Linus, Drepper
nor Andrew. But in order to get into the mainline and 

Re: Ubuntu needs a new development model

[John Moser]

On Thu, May 6, 2010 at 4:07 PM, Dmitrijs Ledkovs
 wrote:

> http://en.wikipedia.org/wiki/Web_of_trust
>
> The thing that all packages in debian rely on to prove that they are 
> authentic?


He said easier to trust PEOPLE.  Look at the PGP web of trust, people
with dozens or hundreds of signatures on their PGP public keys.  When
I was using GPG for a year to sign my e-mails, I re-downloaded my
public key from the key server and had found that some 15 or so people
that I'd never heard of had signed my key.

Your first response to this is going to point out that Ubuntu could
trust only keys signed with keys that themselves are signed with an
Ubuntu Master Key or some such; so maybe Martin's key is signed by
Canonical, Inc and Martin signs your key, so you're valid.  You sign
another key, that is still called "untrusted."  Thus, we don't have
the crazy uncontrolled mess described above.

Which brings us back to trusting people.

Out of the hundreds, thousands of people that you want to incorporate
into your trust hierarchy, how do you determine which can be trusted?
Who is talking their way through you, showing good work, uploading
hundreds of excellent packages with stopgap patches or well-requested
features and things that won't go into Main or will go in later; but
in secret, really waiting for a good time to slip malware into a
package?

It doesn't have to be patches they wrote; could be a -ck kernel or a
kernel with a piece from -mm, or a patch onto Gimp that's gained
popularity but nobody felt fit to pay attention to, or any other
3-seconds-of-work patching process.  More than 3 seconds?  Oh, this
one I hit a bump with, I think I'll just discard it; I've got plenty
of other "work" to show.

The smoke and mirrors is a bit complex; but we're talking about a
threat that essentially amounts to "someone wrote, compiled, packaged,
tested, and uploaded a piece of malware to a repository they needed
special permission to join."  This is not a fat businessman pushing
the "SPAM THE WORLD" button.

Every time someone suggests finding a way to trust people more (or in
this case, trust more people), God laughs at them.  A lot.  The only
way to fully trust an individual is to hang a camera and a turret
above his head constantly, and even then you can't be sure; the only
way to improve how much you can safely trust someone is to devote
resources to learning about them on a personal and technical (i.e.
background check) level.  When you add hundreds of developers or just
random people to a project, with direct access, you WILL have
problems, and you WILL hand access to people who desperately don't
need it.  This is why the Linux Kernel has 30,000 developers and all
of 1 or 2 people with commit access (Linus and who else?  Drepper and
Andrew maybe).

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Dmitrijs Ledkovs]

On 6 May 2010 20:33, John Moser  wrote:
> On Thu, May 6, 2010 at 3:27 PM, Martin Owens  wrote:
>
>> Work on making... easier to trust people
>
>  hahahahahahaha.
>
> Hey man, I'm calling from your bank.  There's like, a problem with
> your account...
>
> Wait, what were you suggesting again?
>

http://en.wikipedia.org/wiki/Web_of_trust

The thing that all packages in debian rely on to prove that they are authentic?

and you shouldn't be laughing at Martin Owens that's disrespectful
considering the amount of work he his done for ubuntu.


> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[John Moser]

On Thu, May 6, 2010 at 3:27 PM, Martin Owens  wrote:

> Work on making... easier to trust people

 hahahahahahaha.

Hey man, I'm calling from your bank.  There's like, a problem with
your account...

Wait, what were you suggesting again?

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Martin Owens]

Indeed, but what you suggest is not economically relevant although it
may be interesting socially.

Work on making GPG keys easier to work with and easier to trust people
and packages signed by people and organisations, then you can work on
getting it more distributed.

Martin,

On Wed, 2010-05-05 at 23:26 -0400, Ryan Oram wrote:
> This is intentional as I am a economics/computer science major,
> currently writing my thesis on the economics behind the open source
> development model. To be frank, I feel that the current Ubuntu
> development model is unsound as it simply does not scale. 


-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Aurélien Naldi]

On Thu, May 6, 2010 at 8:38 AM, Ryan Oram  wrote:
[...]
>
> The idea of developers being better maintainers is a bit of economic
> theory. My goal is to make the Linux distribution more scalable. If
> developers concentrate on their packages and distributions concentrate
> on the core operating system, this make for a much more efficient
> system there is much less duplicated work. The cost of adding more
> software to a distribution under this system would rapidly approach
> zero, as the distribution would just run a minimal check and do
> minimal testing.
>
> Ryan


Hi,

this may sound attractive but it really feels like a half-backed argument.
First, as some already mentioned, most upstream have little or no
knowledge on packaging. More importantly, not all upstream are
ubuntu-centric. The linux world is very wide and while ubuntu is for
sure a very visible distribution, it is not the only one by a long
shot. Furthermore some upstreams are not even linux-centric...

Even if all upstreams were ubuntu-centric, this kind of approach has
pro and cons, you can't just pretend the pro outweight the cons
without a detailed study of the userbase, which is quite large...

Packaging is hard and maintaining a consistent distribution is a huge
task. I for one would love to have newer versions of some software
when I need newest features or specific bug fixes, but throwing new
versions of working stuff all over the distribution would eventually
lead to more broken stuff. PPAs are great for this, it is a clear
improvement for the previous alternatives (stick with whatever is in
stable or run unstable) even if it may be a definitive solution.

I do think a proper way to achieve this may be worth discussion, maybe
by extending PPAs or making it easier to have nightly builds of the
latest upstream version for existing packages, possibly in a
semi-official and integrated way (like offering test channels for some
applications in the application manager) but I'm pretty sure this must
be used with caution: it can cause fragmentation and
combination-dependant bugs that are hard to track (but if done
properly, ubuntu-bug would also be able to collect this kind of
information).

BTW, I think something in this line has already been experimented (and
failed) in the debian world, wasn't it the purpose of Ian Murdock's
"Progeny Componentized Linux"?

Best regards.

-- 
Aurélien Naldi

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Ryan Oram]

On Thu May 6 05:37:30 +,  wrote:
>Thinking you need to say "no offense" is generally a good sign to avoid saying 
>what you are considering  saying if you ?>actually care to avoid offense.
>
>My experience is rather the opposite. Most upstreams care about developing 
>their computer programs (as they should). >Packaging for a distro is rather 
>different and specialized. Having upstream involvement is great (and in in 
>some cases >essential), but upstream developers are not usually the best 
>distro maintainers.
>
>Where I'm upstream I don't attempt to insert myself in packaging for RPM 
>distros,  but am glad to answer questions if >their maintainers have them.
>
>Scott K

The idea of developers being better maintainers is a bit of economic
theory. My goal is to make the Linux distribution more scalable. If
developers concentrate on their packages and distributions concentrate
on the core operating system, this make for a much more efficient
system there is much less duplicated work. The cost of adding more
software to a distribution under this system would rapidly approach
zero, as the distribution would just run a minimal check and do
minimal testing.

Ryan

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Mario Vukelic]

On Wed, 2010-05-05 at 20:49 -0400, Ryan Oram wrote:
> End users don't want to have to add PPAs or download .deb files off of
> websites.

These end users don't want constantly changing applications (and bugs)
all the time either, in my experience.


-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Scott Kitterman]

"Ryan Oram"  wrote:

>It seems like a good site, but I ultimately feel it should be the
>developer themselves who package the applications, as the developers
>will have a much greater incentive to make working and tested packages
>then the maintainers (no offense to the great work of the maintainers
>of Ubuntu and Debian).
>
Thinking you need to say "no offense" is generally a good sign to avoid saying 
what you are considering  saying if you actually care to avoid offense. 

My experience is rather the opposite. Most upstreams care about developing 
their computer programs (as they should). Packaging for a distro is rather 
different and specialized. Having upstream involvement is great (and in in some 
cases essential), but upstream developers are not usually the best distro 
maintainers.

Where I'm upstream I don't attempt to insert myself in packaging for RPM 
distros,  but am glad to answer questions if their maintainers have them.

Scott K-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Ryan Oram]

This is intentional as I am a economics/computer science major,
currently writing my thesis on the economics behind the open source
development model. To be frank, I feel that the current Ubuntu
development model is unsound as it simply does not scale.

Ryan

On Wed, May 5, 2010 at 11:22 PM, Martin Owens  wrote:
> You mean "Publishing Model" not "Development Model"
>
> There are people thinking about development models, economics,
> community, tools etc and this thread is not about any of it.
>
> Martin,
>
> On Wed, 2010-05-05 at 18:44 -0400, Ryan Oram wrote:
>> Ubuntu needs a change in direction. I propose that Ubuntu adopt a
>> development model where only the core operating system, userland, core
>> libraries, and desktop environment are frozen every 6 months. The
>> applications would then be freely updated to the newest versions at
>> all times. Package maintenance and support for the end-user
>> applications would be provided by the developers themselves.
>>
>> This new release system would be very similar to the semi-rolling
>> release system I implemented (and tested) in infinityOS.
>>
>> Thanks,
>> Ryan Oram
>>
>
>
>

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Martin Owens]

You mean "Publishing Model" not "Development Model"

There are people thinking about development models, economics,
community, tools etc and this thread is not about any of it.

Martin,

On Wed, 2010-05-05 at 18:44 -0400, Ryan Oram wrote:
> Ubuntu needs a change in direction. I propose that Ubuntu adopt a
> development model where only the core operating system, userland, core
> libraries, and desktop environment are frozen every 6 months. The
> applications would then be freely updated to the newest versions at
> all times. Package maintenance and support for the end-user
> applications would be provided by the developers themselves.
> 
> This new release system would be very similar to the semi-rolling
> release system I implemented (and tested) in infinityOS.
> 
> Thanks,
> Ryan Oram
> 



-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Ben Gamari]

On Wed, 5 May 2010 18:44:02 -0400, Ryan Oram  wrote:
> Ubuntu needs a change in direction.

Is that so? Now back up your claim with something substantial and maybe,
just maybe, someone might buy your argument. I will say, however, that
you have an up-hill battle.

If you are going to propose sweeping changes to the release model of a
distribution with a user-base as large as Ubuntu's, please spend more
than five minutes preparing your argument.

> I propose that Ubuntu adopt a development model where only the core
> operating system, userland, core libraries, and desktop environment
> are frozen every 6 months. The applications would then be freely
> updated to the newest versions at all times. Package maintenance and
> support for the end-user applications would be provided by the
> developers themselves.

In my view, this is exactly what we don't need. We have enough trouble
keeping bug reports straight with only a couple versions of applications
and libraries in active circulation at a time. What you just proposed
sounds like a close approximation of hell.

> This new release system would be very similar to the semi-rolling
> release system I implemented (and tested) in infinityOS.

Wonderful. InfinityOS can enjoy it. We, however, like to maintain our
sanity.

- Ben

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Ryan Oram]

I apologize for the top posting. Gmail is not the best client for this. :P

The devs on Launchpad often don't have the most recent versions as the
fact that users have to go through hoops to add PPA (I do not expect
my dad to be able to add a PPA) limits their userbase. Increase the
number of people who will use the packages and the developer will be
encouraged to keep their PPAs better up to date.

I expect that any packages that are not done properly (which is VERY
hard to do with Launchpad) would be caught by the minimal testing. It
would be very easy to spot a package that made from a binary blob
tarball.

Ryan

On Wed, May 5, 2010 at 9:53 PM, Dmitrijs Ledkovs
 wrote:
> Answer: It broke the flow of reading
> .
> Question: Why is top posting bad?
>
> Please stop that.
>
> The high-quality ppa's are done by Ubuntu&Debian developers and not
> upstream authors. Those that are fixing bugs in Ubuntu are targetted
> at ubuntu archive after sufficient testing is done and uploaded.
>
> PPAs bitrot: it fixes one thing but ubuntu archive moves on and you
> are stuck either with old version with one fix from ppa or newer
> version from archive which has these after cool features but not this
> one fix.
>
> Plus I've been hit personally when ppa's don't provide versions for
> the current release.
>
> As for building on launchpad it is theoretically possible to make a
> binary blob tarball upload it and just run dpkg-deb*
>
> * I haven't tried it myself & possibly there are auto-rejection
> scripts on launchpad to detect this.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Dmitrijs Ledkovs]

On 6 May 2010 02:38, Ryan Oram  wrote:
> All the packages I have pulled from dev PPAs have been of high
> quality. In fact, most of them fix problems present in the Ubuntu
> packages.
>
> Really only a minimal amount of review and testing should be needed.
> Ubuntu would just need to require that developers build their packages
> on Launchpad before review. Launchpad is an excellent filter in
> itself. We all know how much of a pain signing up for a Launchpad
> upload privileges is, in addition to the effort required to get
> something to even build on Launchpad (pbuilder is awesome, but boy
> getting something to build in a chroot environment can be a hassle).
>
> Ryan
>

Answer: It broke the flow of reading
.
Question: Why is top posting bad?

Please stop that.


The high-quality ppa's are done by Ubuntu&Debian developers and not
upstream authors. Those that are fixing bugs in Ubuntu are targetted
at ubuntu archive after sufficient testing is done and uploaded.

PPAs bitrot: it fixes one thing but ubuntu archive moves on and you
are stuck either with old version with one fix from ppa or newer
version from archive which has these after cool features but not this
one fix.

Plus I've been hit personally when ppa's don't provide versions for
the current release.

As for building on launchpad it is theoretically possible to make a
binary blob tarball upload it and just run dpkg-deb*

* I haven't tried it myself & possibly there are auto-rejection
scripts on launchpad to detect this.
> On Wed, May 5, 2010 at 9:30 PM, Dmitrijs Ledkovs
>  wrote:
>> Upstream developers build from trunk and they don't care on how to
>> package it cause they personally do not need it.
>>
>> Upstreams don't usually have a clue in packaging and spend quite a bit
>> of time trying to make it build and ignoring all lintian warnings
>> because someone asked them to & there is no real package available in
>> the archive.
>>
>> These upstream debanisations are usually of poor quality and can do
>> nasty things to your machine (static libs, auto-updating and pinging
>> upstream about userbase => google chrome & they do know how to package
>> btw so this was on purpose and not to make it fit into the system)
>>
>>
>> If some project doesn't have a package it is either new, unnoticed, or
>> half-broken code that it cannot justify packaging effort.
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Ryan Oram]

All the packages I have pulled from dev PPAs have been of high
quality. In fact, most of them fix problems present in the Ubuntu
packages.

Really only a minimal amount of review and testing should be needed.
Ubuntu would just need to require that developers build their packages
on Launchpad before review. Launchpad is an excellent filter in
itself. We all know how much of a pain signing up for a Launchpad
upload privileges is, in addition to the effort required to get
something to even build on Launchpad (pbuilder is awesome, but boy
getting something to build in a chroot environment can be a hassle).

Ryan

On Wed, May 5, 2010 at 9:30 PM, Dmitrijs Ledkovs
 wrote:
> Upstream developers build from trunk and they don't care on how to
> package it cause they personally do not need it.
>
> Upstreams don't usually have a clue in packaging and spend quite a bit
> of time trying to make it build and ignoring all lintian warnings
> because someone asked them to & there is no real package available in
> the archive.
>
> These upstream debanisations are usually of poor quality and can do
> nasty things to your machine (static libs, auto-updating and pinging
> upstream about userbase => google chrome & they do know how to package
> btw so this was on purpose and not to make it fit into the system)
>
>
> If some project doesn't have a package it is either new, unnoticed, or
> half-broken code that it cannot justify packaging effort.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Dmitrijs Ledkovs]

On 6 May 2010 02:16, Tom H  wrote:
> On Wed, May 5, 2010 at 9:08 PM, Dmitrijs Ledkovs
>  wrote:
>> On 6 May 2010 01:38, Brandon Holtsclaw  wrote:
>>> On Wed, 2010-05-05 at 20:34 -0400, Daniel Hollocher wrote:
 I'm pretty sure that getdeb.net and the ppa's on launchpad satisfy
 most cravings for rolling releases.
>>>
>>> And Debian sid and/or Testing for that matter
>>
>> And of course ubuntu+1
>
> Except that there is a period of a few weeks after a release where
> there is no ubuntu+1
>

Similar for debian but stretched a bit timewise for testing & sid and
even experimental in someways.

How about going fedora style and openening ubuntu+1 for toolchain &
debian package autoimport at rc such that at day 0 we have ubuntu+1?

This will put pressure on toolchain hackers we love you =)
don't hate us for suggesting this.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Dmitrijs Ledkovs]

On 6 May 2010 02:09, Ryan Oram  wrote:
> It seems like a good site, but I ultimately feel it should be the
> developer themselves who package the applications, as the developers
> will have a much greater incentive to make working and tested packages
> then the maintainers (no offense to the great work of the maintainers
> of Ubuntu and Debian).
>
> Ryan
>

Upstream developers build from trunk and they don't care on how to
package it cause they personally do not need it.

Upstreams don't usually have a clue in packaging and spend quite a bit
of time trying to make it build and ignoring all lintian warnings
because someone asked them to & there is no real package available in
the archive.

These upstream debanisations are usually of poor quality and can do
nasty things to your machine (static libs, auto-updating and pinging
upstream about userbase => google chrome & they do know how to package
btw so this was on purpose and not to make it fit into the system)


If some project doesn't have a package it is either new, unnoticed, or
half-broken code that it cannot justify packaging effort.

> On Wed, May 5, 2010 at 9:05 PM, Daniel Hollocher
>  wrote:
>> Hey there,  have you thought about just working more closely with
>> getdeb.net?  They are doing the same thing, except it isn't restricted
>> to just multimedia packages.  Regardless, good luck.
>>
>> On Wed, May 5, 2010 at 8:47 PM, Ryan Oram  wrote:
>>> End users don't want to have to add PPAs or download .deb files off of 
>>> websites.
>>>
>>> With infinityOS, users never have to leave their package management
>>> system (or Software Center really) to get programs or update them to
>>> the latest versions. This includes drivers. It works so well that I am
>>> now suggesting that downloading packages from a third-party website is
>>> a security hazard and that users should stick only to the packages
>>> provided by default in the infinityOS and Ubuntu repos. This
>>> completely eliminates the possiblity of spyware, as end-users would
>>> only download packages that have been authenticated, peer-reviewed,
>>> and tested.
>>>
>>> I would be more than happy to bring such functionality upstream to
>>> Ubuntu. I want my ideas to be used by as many people as possible.
>>>
>>> Thanks,
>>> Ryan Oram
>>>
>>> On Wed, May 5, 2010 at 8:34 PM, Daniel Hollocher
>>>  wrote:
 I'm pretty sure that getdeb.net and the ppa's on launchpad satisfy
 most cravings for rolling releases.

>>>
>>
>>
>>
>> --
>> In science and in mind, the impossible and the hasn't-happened-yet are
>> indistinguishable.
>>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Ryan Oram]

It seems like a good site, but I ultimately feel it should be the
developer themselves who package the applications, as the developers
will have a much greater incentive to make working and tested packages
then the maintainers (no offense to the great work of the maintainers
of Ubuntu and Debian).

Ryan

On Wed, May 5, 2010 at 9:05 PM, Daniel Hollocher
 wrote:
> Hey there,  have you thought about just working more closely with
> getdeb.net?  They are doing the same thing, except it isn't restricted
> to just multimedia packages.  Regardless, good luck.
>
> On Wed, May 5, 2010 at 8:47 PM, Ryan Oram  wrote:
>> End users don't want to have to add PPAs or download .deb files off of 
>> websites.
>>
>> With infinityOS, users never have to leave their package management
>> system (or Software Center really) to get programs or update them to
>> the latest versions. This includes drivers. It works so well that I am
>> now suggesting that downloading packages from a third-party website is
>> a security hazard and that users should stick only to the packages
>> provided by default in the infinityOS and Ubuntu repos. This
>> completely eliminates the possiblity of spyware, as end-users would
>> only download packages that have been authenticated, peer-reviewed,
>> and tested.
>>
>> I would be more than happy to bring such functionality upstream to
>> Ubuntu. I want my ideas to be used by as many people as possible.
>>
>> Thanks,
>> Ryan Oram
>>
>> On Wed, May 5, 2010 at 8:34 PM, Daniel Hollocher
>>  wrote:
>>> I'm pretty sure that getdeb.net and the ppa's on launchpad satisfy
>>> most cravings for rolling releases.
>>>
>>
>
>
>
> --
> In science and in mind, the impossible and the hasn't-happened-yet are
> indistinguishable.
>

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Tom H]

On Wed, May 5, 2010 at 9:08 PM, Dmitrijs Ledkovs
 wrote:
> On 6 May 2010 01:38, Brandon Holtsclaw  wrote:
>> On Wed, 2010-05-05 at 20:34 -0400, Daniel Hollocher wrote:
>>> I'm pretty sure that getdeb.net and the ppa's on launchpad satisfy
>>> most cravings for rolling releases.
>>
>> And Debian sid and/or Testing for that matter
>
> And of course ubuntu+1

Except that there is a period of a few weeks after a release where
there is no ubuntu+1

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Dmitrijs Ledkovs]

On 6 May 2010 01:38, Brandon Holtsclaw  wrote:
> On Wed, 2010-05-05 at 20:34 -0400, Daniel Hollocher wrote:
>> I'm pretty sure that getdeb.net and the ppa's on launchpad satisfy
>> most cravings for rolling releases.
>
> And Debian sid and/or Testing for that matter
>

And of course ubuntu+1

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Ryan Oram]

End users don't want to have to add PPAs or download .deb files off of websites.

With infinityOS, users never have to leave their package management
system (or Software Center really) to get programs or update them to
the latest versions. This includes drivers. It works so well that I am
now suggesting that downloading packages from a third-party website is
a security hazard and that users should stick only to the packages
provided by default in the infinityOS and Ubuntu repos. This
completely eliminates the possiblity of spyware, as end-users would
only download packages that have been authenticated, peer-reviewed,
and tested.

I would be more than happy to bring such functionality upstream to
Ubuntu. I want my ideas to be used by as many people as possible.

Thanks,
Ryan Oram

On Wed, May 5, 2010 at 8:34 PM, Daniel Hollocher
 wrote:
> I'm pretty sure that getdeb.net and the ppa's on launchpad satisfy
> most cravings for rolling releases.
>

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Brandon Holtsclaw]

On Wed, 2010-05-05 at 20:34 -0400, Daniel Hollocher wrote:
> I'm pretty sure that getdeb.net and the ppa's on launchpad satisfy
> most cravings for rolling releases.

And Debian sid and/or Testing for that matter

-- 
Brandon Holtsclaw
m...@brandonholtsclaw.com
http://www.brandonholtsclaw.com


signature.asc
Description: This is a digitally signed message part
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[Daniel Hollocher]

I'm pretty sure that getdeb.net and the ppa's on launchpad satisfy
most cravings for rolling releases.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Ubuntu needs a new development model

[John King]

Personally, I've been thinking about suggesting an 'updates'/'main-updates' 
repo, for at least commonly used applications. It would be implemented in a way 
in which apt wouldn't auto upgrade the program (or at least ask first), but it 
would be accessed by an addon maybe, to the Ubuntu Software Center. That way 
the user can go there, click 'install newest version', and easily have the 
newest version of say, Firefox along with his/her Windows friends, without 
having to add potentially unstable PPAs or wrestling with how to get the 
official app working (personally, I was a noob at one point. So when I 
downloaded the *.tar.gz for Firefox on Linux, I assumed that meant I'd have to 
compile the program. I spent a half hour trying to find 'make, make install' 
instructions for it before realizing that it was precompiled xD I wouldn't wish 
that on a user who just wants to have the newest Firefox so he can keep up with 
his Windows friends (at least in that regard).)

Ryan Oram  wrote:

>Ubuntu needs a change in direction. I propose that Ubuntu adopt a
>development model where only the core operating system, userland, core
>libraries, and desktop environment are frozen every 6 months. The
>applications would then be freely updated to the newest versions at
>all times. Package maintenance and support for the end-user
>applications would be provided by the developers themselves.
>
>This new release system would be very similar to the semi-rolling
>release system I implemented (and tested) in infinityOS.
>
>Thanks,
>Ryan Oram
>
>-- 
>Ubuntu-devel-discuss mailing list
>Ubuntu-devel-discuss@lists.ubuntu.com
>Modify settings or unsubscribe at: 
>https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss