Re: security in testing

To: debian-devel@lists.debian.org
Subject: Re: security in testing
From: Theodore Ts'o <tytso@mit.edu>
Date: Thu, 15 May 2003 09:52:06 -0400
Message-id: <[🔎] 20030515135205.GD15870@thunker.thunk.org>
In-reply-to: <[🔎] 20030514215350.GS25977@epsilon.donarmstrong.com>
References: <20030513142055.GD25426@alcor.net> <[🔎] B21CC0CD-85DA-11D7-84D2-003065F97418@debian.org> <[🔎] 20030514122545.GE1324@mathom.us> <[🔎] 20030514131638.GO25468@linux3.contactor.se> <[🔎] 87vfwd5xqn.fsf@glaurung.green-gryphon.com> <[🔎] 20030514201528.GT25468@linux3.contactor.se> <[🔎] 20030514215350.GS25977@epsilon.donarmstrong.com>

On Wed, May 14, 2003 at 05:53:50PM -0400, Don Armstrong wrote:
> Manoj's answer, while witty, is closer to the mark than you may
> realize.
> 
> Debian will always be for whoever the people contributing to Debian
> are willing/want it to be for. No more, no less.

Um, when we all agreed to be Debian Developers, we agreed to the
following from the social contract:

* Our Priorities are Our Users and Free Software

	We will be guided by the needs of our users and the free-software
	community. We will place their interests first in our priorities. We
	will support the needs of our users for operation in many different
	kinds of computing environment.....

So what does that mean?  If the we define "our users" as ourselves,
then the social contract reduces to "we will place our interests first
in our priorities", and that doesn't sound so good, does it?  :-)

If our users include those who want something that is less stale than
"stable", but where they don't want to deal with having to stich
together their system after an update to perl or lilo leaves their
system completely unusable, how do we meet their needs?  There are
certainly disagreements at the tactical level (we could solve this
problem by applying pressure to people to not upload broken packages
to unstable; we could solve the problem by fixing enough RC bugs that
packages flow into testing much more reliably and quickly; we could
solve the problem by recruiting people to upload into
"testing-security").  

But the first question before we discuss tactics is whether or not we
"should" do it.  Does the fact that we've accept the Social Contract
put any kind of moral claim on what we as an organization do?  If the
question to that question is yes, then individual developers will need
to search their souls and decide whether or not this means they are
feeling called to put in the time to fix an RC bug, or work to NMU or
otherwise clear a blocked, critical package, or contribute to security
or testing-security, or do something else to further the goal.

> I'd argue that the converse is more important. [Unless most developers
> do everything they do for purely altruistic reasons. I know I do what
> I do for selfish reasons first.]

That may be true, but the ideals articulated in the Social Contract
aspire to something a higher more than that.

						- Ted

Reply to:

Follow-Ups:
- Re: security in testing
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: security in testing
  - From: Chris Leishman <masklin@debian.org>
- Re: security in testing
  - From: Michael Stone <mstone@debian.org>
- Re: security in testing
  - From: Björn Stenberg <bjorn@haxx.se>
- Re: security in testing
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: security in testing
  - From: Björn Stenberg <bjorn@haxx.se>
- Re: security in testing
  - From: Don Armstrong <don@donarmstrong.com>

Prev by Date: Re: security in testing
Next by Date: Re: mailcap next step
Previous by thread: Re: security in testing
Next by thread: Re: security in testing
Index(es):
- Date
- Thread