On Mon, Jun 10, 2002 at 06:33:07AM -0700, Jeremiah Mahler wrote: > On Mon, Jun 10, 2002 at 08:45:12AM -0400, Stephen Frost wrote: > > * Jeremiah Mahler (jmahler@pacbell.net) wrote: > > > On Mon, Jun 10, 2002 at 08:22:41AM -0400, Michael Stone wrote: > > > What about the idea that anyone (not just maintainers) can submit > > > packages and they will available immediately to others without > > > having to go through an intermediate person. > > Bad idea from a security standpoint, of course. > Not everyone is forced to use the packages contributed from the public. > There can still be packages approved by official developers. A user > could decide to only use the packages marked as approved and they would > be as safe as Debian is now. And, once again, you are free to set up your own archive of .deb packages outside the confines of Debian: no one in Debian needs to give you the go-ahead in order to do this. But by virtue of the fact that you're not creating official Debian packages, Debian is not going to endorse these packages, either. Aside from the security issue, it's important to recognize that Debian is focused not on providing large quantities of programs in package form, but rather on providing an *operating system* where all of the software we package integrates cleanly. That means communication and organization, and it means dispute resolution policies, to ensure that all packages play nice together. How do you go about establishing such a system when accepting packages from anyone at all is the norm? > > > In contrast, Debian allows only specific people to add new packages > > > and only the maintainer can fix their packages. This requires work > > > by specific people which makes development slow. > > > > "Specific people" being the entire set of Debian people, which is a > > pretty decently sized set of people. > What about the situation where a package is broken and the maintainer > is unreachable. In the model described in the article anyone could > fix the package (assuming it is not a critical package) but it would > be marked as new so that people who only want safe packages would > know to stay away from it. Then, if the maintainer comes back he/she > could check the package and approve it so that it could now be used > by people who want safe packages. And by the same token, anyone could *break* the package, as well. The mechanisms that prevent Debian developers from fixing a broken package when the maintainer is unreachable are not technical, they're social; and they come from the recognition that a badly done NMU is often worse than a delayed fix. The more eager a non-DD is to do an NMU of, say, glibc, the more likely it is that the non-DD in question does NOT have the skills necessary to do it properly. In addition, there's the factor of simply having more packages than we do developers who care about them. There are more than a couple packages out there for which there's no more than one developer who cares to *be* familiar enough with the package to be able to do a proper upload. I don't see that Gentoo will magically overcome this social reality with their system. It's something that Debian is trying to address through the PTS, for instance. Steve Langasek postmodern programmer
Attachment:
pgpHpdQ731liC.pgp
Description: PGP signature