Web lists-archives.com

Re: [Idea] Debian User Repository? (Not simply mimicing AUR)




On Sun, Apr 07, 2019 at 01:26:12PM +0000, Mo Zhou wrote:
>...
> (2) Dirty but useful non-free blobs, such as nvidia's cuDNN (CUDA Deep
> Neural Network) library, which dominates the field of high performance
> neural network training and inference. I really hate reading NVIDIA's
> non-free legal texts, and in such repository we can avoid reading the
> license and just get the scutwork done and make users happy.
> 
> (3) Data with obscure licensing. In this repository we can feel free to
> package pre-trained neural networks or training data without carefully
> examing the licensing.

The requirements for distributing software in the system you want to 
setup wouldn't be much different from what is required for non-free.

Anything that is legal to distribute can likely go into non-free.

>...
> (5) Packages that utilizes SIMD instructions heavily. Such package is
> very easy to package in such repo. (So this Proposal actually suppresses
> and replaces my SIMDebian project).

Run-time autodetection is the best solution.

We also have packages that build several versions of a program,
with a tiny wrapper that selects the best at startup.

> 2. Allows us to offload some low-popcon, or QA-questionable packages
> from the archive. Debian's archive size is continuously increasing, but
> the number of Debian Developers has been staying around 1000 for many
> many years. Saturation will definitely happen in the future if we do
> nothing to change - or saturation has already happended. An Archlinux
> Developer's saturation point may be several thousand (See Felix Yan, an
> Arch Dev), but a Debian Developer often saturate at, maybe 30~100?

You make it sound as if the number of packages would be what matters most.
Which is not true.

A low-popcon package that is old and stable and stale and doesn't depend 
on changing libraries usually just continues working with close to zero 
effort.

Most work is in the volatile areas of the archive, e.g. tensorflow as
one package might create more work than whatever you would consider
the saturation point for a single developer.

> Handing over some workload to the user community is not a bad thing,

"user community" sounds like a "somebody" that is in reality "nobody".

>...
> 3. Allows us to accept potential contributors friendly, and possibly
> form a new user community. The high quality standard of Debian may scare
> some potential contributors away.
>...

Package installation runs as root, which means you are granting root
access to the package creator of every single package you are installing.

Be it malicious intention or just a packaging mistake,
trust and quality are not really optional items.

> Best,
> Mo.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed