Re: Updated Debian Maintainers Keyring
On Sunday 25 November 2007, Joey Hess wrote:
> Steve McIntyre wrote:
> > In this particular case, the problem is much worse than just a single
> > bug in a package - it's a total failure in the sponsorship
> > system.
>
> From what Ramakrishnan and other sponsors wrote on this thread, it
> sounds like Kartik was a frequent and active sponsee who did a lot of
> uploads. My experience with sponsoring such people is that you come to
> trust that they know what they're doing, and over time review their
> packages less thuroughly before sponsoring. You still run lintian each
> time, but you don't go looking for absurd lintian overrides[1]. You still
> download pristine source for new releases from upstream, but you don't
> examine every line of the sponsor's diff for potential backdoors. I
> think this is only human nature, and it parallels how we treat upstreams
> too (few developers review every line of the *upstream* changes for
> potential backdoors..).
Nice pleadings, but you seem to conclude that this was the only *absurd*
action [1] in their sponsoree/sponsor communication. What if they have been
doing absurd sponsoree packaging, loose or no sponsor checking from the very
begining ? What if that is not a unfortunate coincidence, but their general
style and tendency ?
[1] note that people are frighten not by the technical mistake (i.e. no
maintainer is perfect), but the way it was suppressed (i.e. every maintainer
should have a common sense and basic quality).
--
pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>
fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB
Reply to: