[Bf-committers] Blender Projects: Blender Extensions Add-Ons (scripts/plugins).

mindrones mindrones at yahoo.it
Sun Mar 7 17:00:40 CET 2010


--- On Sun, 3/7/10, jonathan d p ferguson wrote:

> > I will remove scripts from this svn at will if they
> don't meet  
> > standards.
> Is this a general "I"? Or really the role of a "package
> maintainer"?

At the moment Brandon is taking care of scripts, but generally all of those with
bf-extensions svn access can do that if the script is in trunk/ and really malicious.

> > Any malicious code & the Dev will be immediately
> banned until an  
> > explanation
> > is provided and accepted (unlikely!)
> > You will be tried & hung by your peers. Be
> Warned.
> EEK! Wouldn't mentorship [13] be better? Does the Blender
> community  
> actively punish contributors? My experience with the
> Blender community  
> contradicts this statement. It is one of the most friendly,
> and  
> encouraging, FOSS communities I know.

I think it was meant to be ironic :)

But yes, I doubt that you can trust again a code that has consciously written some
malicious code no?

> Debian [2,13], Ubuntu [3], and other notable projects use
> the Web of  
> Trust [4,5,6,12] created by GnuPG keyrings [7] to keep all
> packages  
> (think Operating System Extensions) secure, and tamper free
> [11,12].  
> (There are other technical benefits too). The key
> difference, is that  
> of guaranteed contributor accountability [12].
> Perhaps the Blender project would be wise to adopt
> something similar  
> for developers and script-writers?

It's been a lot of work discussing about it and then establishing this, I really
hope we don't change it now that it's all setup... :)

Also, everyone is on 2.5 now, jesterking will be away for a while so I think that
there arent many human resources to do something more elaborate for a bit.

Meanwhile we can trust opinions from the incolved extensions developers, which is
a good start I think.

> Thanks for all the hard work!

Thx :)

By the way, Brandon told me he will be offline for a week for connectivity problems,
I guess he will take care to answer this thread when he'll be back eventually.


> have a day.yad
> jdpf
> [1] Git is very good at this kind of integration, down to
> the level of  
> the source-code, btw. This is because git identifies
> changesets as  
> SHA1 hashes.
> [2] New Maintainer website (and process from Debian): https://nm.debian.org/newnm.php
> [3] Contributing to Ubuntu: https://wiki.ubuntu.com/ 
> ContributeToUbuntu#Contributing%20to%20the%20Universe%20Repository
> %20(MOTU)
> [4] GPG Web of Trust: http://www.gnupg.org/gph/en/manual.html  
> particularly: http://www.gnupg.org/gph/en/manual.html#WOT-EXAMPLES
> [5] Advogato's Trust Metric http://www.advogato.org/trust-metric.html
> [6] Wikipedia: Web of Trust: http://en.wikipedia.org/wiki/Web_of_trust
> [7] Wikipedia: GPG: http://en.wikipedia.org/wiki/GNU_Privacy_Guard
> [8] A short history of GPG: http://lists.gnupg.org/pipermail/gnupg-announce/2007q4/000268.html
>   You will find libraries like GPGME much kinder to
> integration  
> efforts than some others: http://lists.gnupg.org/pipermail/gnupg-announce/2010q1/000298.html
> [9] US Export restriction law (as recently touched a
> blender  
> developer): http://www.bis.doc.gov/encryption/ and http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html
>   for US mirrors and hosting services.
> [10] Electronic Privacy Information Center: http://epic.org/
> [11] GnuPG archive keys of the Debian archive: http://packages.debian.org/lenny/debian-archive-keyring
> [12] Debian's Web of Trust: https://nm.debian.org/nmgraph.php#manager
> [13] The debian-mentors FAQ: http://people.debian.org/~mpalmer/debian-mentors_FAQ.html




More information about the Bf-committers mailing list