Summary: | profiles/package.mask is masking security holes when infinitely "testing" | ||
---|---|---|---|
Product: | Quality Assurance | Reporter: | Ulenrich <ulenrich> |
Component: | Disputes/raising issues | Assignee: | Gentoo Quality Assurance Team <qa> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mgorny |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Ulenrich
2020-01-14 06:37:47 UTC
Further: In front of profiles/package.mask should be placed an explanation as follows: --- When a version is "masked for experiments" you can help providing a bunch of users getting a better Gentoo experience by doing your experiments with that version, because after #TimePeriod all of Gentoo users have to experiment otherwise. --- I've proposed a few times that we should drop this failed experiment and let people start over. When comparing with Debian, they have one "state" more than we have: A) Debian-experimental==package.mask/unkeyworded a very new project arrives B) Debian-unstable==Gentoo.unstable, but package is whacky (really is unstable) C) Debian-testing==Gentoo.unstable, package is on its way getting stable status D) Debian-stable==Gentoo.stable + we are rolling the release! B) is the moment, when a Gentoo maintainer decides to package.mask the keyworded new version of a package, because they know many users allow unstable packages, because they want the new hot thing, but expect it to be usable (like Debian-testing) If we don't want the effort of an additional Gentoo release, we could introduce an additional list positioned in profiles/unstable-whacky.info - or better: profiles/unstable-please-experiment.list An additional portage flag (experiment-with-me) could allow these ebuilds or is an additional package.mask list. Emerge, when allowed "experiment-with-me" and using an version mentioned in this list, could display a purpose for the experiment: "unstable warning: please test this version of lua-xy with media-video/mpv" Otherwise the new list is just added to the old package.mask internally. ... this just is an idea how to encourage maintainers to let users experiment. Indeed, the new list should be named profiles/unstable-please-experiment.mask as it should be handled exactly like package.mask but makes a different purpose of the mask explicit. A user masking a version should not be surprised, because the version keeps masked status. The maintainer can introduce a new version for a few days in profiles/package.mask The moment he knows the limitations of the ebuild better, he can express exactly a pointed warning for the users and push the ebuild for a wider audience into profiles/unstable-please-experiment.mask The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/devmanual.git/commit/?id=5ef0611901e3ef14e6473c960418985f6b6f7c61 commit 5ef0611901e3ef14e6473c960418985f6b6f7c61 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-01-12 04:36:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-22 21:34:56 +0000 keywording: mention filing bugs for package.mask entries It's useful to have a bug filed for things masked for testing / due to breakages so that feedback can be gathered in one place / the relevant issue can be debugged. We've sometimes had things p.masked indefinitely for "testing" when it's not clear exactly what needs to be done left, or due to a "bug" which with few details cannot be reproduced some time later. Bug: https://bugs.gentoo.org/705394 Signed-off-by: Sam James <sam@gentoo.org> Closes: https://github.com/gentoo/devmanual/pull/262 Signed-off-by: Sam James <sam@gentoo.org> keywording/text.xml | 6 ++++++ 1 file changed, 6 insertions(+) |