[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ELPA update

From: Ted Zlatanov
Subject: Re: ELPA update
Date: Wed, 28 Sep 2011 08:52:04 -0500
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.90 (gnu/linux)

On Wed, 28 Sep 2011 09:48:23 +0200 Julien Danjou <address@hidden> wrote: 

JD> On Tue, Sep 27 2011, Chong Yidong wrote:

>> It seemed preferable to have some human component in the procedure of
>> rolling out packages to users.  For instance, I try to scan the bzr logs
>> before doing each update.
>> But I'm open to arguments for simply setting it up as a cron job.

JD> I hope that the checks are done before commiting. :-) So I'd rather like
JD> a daily cronjob rathen than disturbing you each time I commit a bugfix
JD> that I want to give to users.
JD> And as the number of package will increase, I'm not sure you'll be able
JD> to do this review manually so, it might be best to trust us on short
JD> term. :)

I think the GNU ELPA is much more like a package repository than a
source code repository, so it makes sense to have some human overview,
especially considering the large number of committers.  We don't want
rogue code sneaking in and compromising our users.

To that end it would also be nice if we asked committers to sign their
contributions with their private GPG key, but I don't know if Bazaar
supports that.  If they did, we could have a list of approved public GPG
keys for any given package and contributions signed with those could be
automatically approved.  This is just a proposal though, I don't know
the best way to do it.

Most of us don't know how to run a package repository, so maybe we
should look at the Debian maintainers' process or ask them if we don't
have the local expertise.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]