[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why are so many great packages not trying to get included in GNU Ema

From: Tim Cross
Subject: Re: Why are so many great packages not trying to get included in GNU Emacs?
Date: Fri, 24 Apr 2020 09:57:22 +1000

I think a pull model wold actually be more secure and less maintenance. It would mean that the contents of ELPA is 100% under the control of GNU. You would have fewer access credentials to manage and would eliminate the risk associated with external people and their management of their access credentials. If wanted, you could also add processes to do any verification tasks e.g. has tests, documentation, no large commits from people without copyright assignment, code quality whatever.

On Fri, 24 Apr 2020 at 09:12, Eric Abrahamsen <address@hidden> wrote:
Stefan Monnier <address@hidden> writes:

>> I think it could be even simpler than that: ELPA is built every 24 hours
>> right now. If we just registered external repos with ELPA, part of the
>> build process could be pulling from those repos automatically, once per
>> day. Package authors already have a mechanism for manually triggering a
>> release: incrementing the package version number. There's no harm in
>> ELPA bringing in new commits from the externals, if the author is still
>> in control of when a new version is released.
> I think it's important that we don't "pull" from "random" places like
> Github repositories.  More specifically, the "push to elpa.git" serves
> as a confirmation that someone thinks this code is appropriate for
> elpa.git (typically the concern being copyright).

It doesn't seem much more random to say "we're adding your repo URL to
our list of approved ELPA pull-sources" than to say "you're now free to
push whatever you like", does it? An ELPA administrator still has to
make that explicit decision to add the URL, so there's still a level of



Tim Cross

reply via email to

[Prev in Thread] Current Thread [Next in Thread]