Re: Appreciating developers

To: ian@chiark.greenend.org.uk (Ian Jackson)
Cc: debian-devel@lists.debian.org
Subject: Re: Appreciating developers
From: jdg@maths.qmw.ac.uk (Julian Gilbey)
Date: Thu, 14 Jan 1999 13:28:50 +0000 (GMT)
Message-id: <[🔎] m100mpO-000Ij8C@polya>
In-reply-to: <[🔎] 13981.18887.286783.224594@chiark.greenend.org.uk> from Ian Jackson at "Jan 14, 1999 1:35: 3 am"

> > To me, there is sadly little surprising about tech-heads who think
> > anyone without knowledge of O_EXCL to be a total dweep.
> 
> If Debian stops being a distribution built by tech-heads then it will
> cease to be worthwhile.
> 
> Anyone who doesn't know about O_EXCL (and the dozen or so other common
> mistakes) should not be writing code until they've learned.  I'm
> sorry, but you can't remove requirements for technical competence and
> knowledge from this technical job.

You're right of course: anyone who doesn't know about O_EXCL shouldn't
be writing C code which might suffer from security problems of this
nature.  But it wouldn't surprise me if a significant number of Debian
maintainers aren't writing the C code themselves, but just working on
upstream sources and turning them into Debian packages, watching for
bugs and correcting them where feasible, etc.  This does not
necessarily require knowledge of O_EXCL, although all knowledge
certainly helps.  There is SO much knowledge one needs in order to be
conversant with every bit of software in the Debian project -- but I
do not believe that more than a handful of people in the world are
that conversant with all of it.  Yes, we should be worried about
maintainers who don't know O_EXCL writing setuid root C programs, we
should warn maintainers about the problems of race conditions if they
are writing non-setuid shell scripts which exhibit the problems, but
we need not worry on this count if the maintainers are only writing
safe installation scripts and documentation pages.

But any way you look at it, the METHOD of informing the individual
concerned about their errors is the crucial point here.  Debian does
need the not-quite-so-techie maintainers who support relatively simple
packages as much as the tech-heads who patch kernels in their sleep:
you only need to consider the number of unfixed bugs in the BTS and
the number of orphaned packages listed by WNPP to realise this.  And
if they make mistakes, by all means let the techies educate them so
they do better next time.  But educate them SENSITIVELY!!  Debian
can't afford to lose maintainers over a matter of attitude.

> One Of These Days I shall write a `common programming mistakes'
> document.

That would be wonderful!

> Ian.

Best wishes, and thanks for leading the project this year,

   Julian

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

            Julian Gilbey             Email: J.D.Gilbey@qmw.ac.uk
       Dept of Mathematical Sciences, Queen Mary & Westfield College,
                  Mile End Road, London E1 4NS, ENGLAND
      -*- Finger jdg@goedel.maths.qmw.ac.uk for my PGP public key. -*-

Reply to:

References:
- Re: Appreciating developers
  - From: Ian Jackson <ian@chiark.greenend.org.uk>

Prev by Date: Bug#31864: Should programs that access /dev/* be SGID?
Next by Date: Re: mirror list / contact @ debian ?
Previous by thread: Re: Appreciating developers
Next by thread: Request for more teTeX docu (was Re: Much documentation missing.)
Index(es):
- Date
- Thread