[CentOS-devel] Missing security updates

Fri Jul 23 06:48:53 UTC 2010
Marcus Moeller <mail at marcus-moeller.de>

Dear Jeff.

>>> Yes, thats about right. The idea of testing stuff within CentOS has a
>>> very finite end point. With very few exceptions the only people trying
>>> to get onto the testing team are people looking for early access. There
>>> have only ever been a small number of people who actually do anything. I
>>> would love, more than anything else at this time, to have a large and
>>> productive testing team - but one that actually does something.
>>>
>>> Opening up the list to public and opening up access to the testing
>>> repo's and hoping for the best is not only a stupid idea, its also a
>>> massive waste of resources. But still its the only solution people seem
>>> to come up with when I pitch this problem to them. So we carry on with
>>> our solution in place right now -> invite people we know and recognise
>>> to be people interested in helping. So visibility cluefull people from
>>> the community here. And dont be mistaken :  plenty have declined. Which
>>> is fine, everyone has their own agenda and life to live.
>>
>> There is even no clear process of how (trusted) ppl could join up.
>> It's all about 'Expect to get invited when free slots in the testing
>> team are available'.
>>
>
> The key issue is "trusted", not "join up". Credentials are
> earned, not handed out. Calling this a "process" is like
> calling a queue at the cash register a "process". Sure
> its linear, and moves forward, and can be modeled accoring
> to objective measurements like cash in-flow or residence time
> in queue and all those metrics miss the point that
>        Credentials like "trusted" are earned, not otherwise.

This is quite good in theory but reality is different at least within
the CentOS project. First of all the process of 'earning' is not
described anywhere. Besides that there are not that many areas which
are open for contributions. It's quite hard to earn money without a
job.

And all this wouldn't be necessary if the process is open. I would
like to suggest to create a updates-testing repo which should be
available on every box but disabled by default. The packages should be
pushed from buildsys (after succesfull builds) to this repository. The
buildsys should be monitorable by everyone like the one of RPMFusion
e.g.: http://buildsys.rpmfusion.org/

Besides that Karan already started to document the build process which
should be extended a bit.

But that are just my 2 Franks

Greets
Marcus