Re: Transition to gnat-4.6

[Stephen Leake <stephen_leake@stephe-leake.org>]

Ludovic Brenta <ludovic@ludovic-brenta.org> writes:

> Stephen Leake wrote:
>> This means that under the current rules Debian Maintainers cannot
>> maintain libraries, only applications. Is that limitation
>> deliberate? I
>> don't recall seeing it mentioned anywhere.
>
> I wouldn't go so far as to say Debian Maintainers cannot maintain
> libraries; only that they require a sponsor for every binary package
> name change, which normally includes soversion changes. 

Yes; the work involved in reviewing and uploading is less than fully
maintaining.

> With Ada, this requirement additionally applies to aliversion changes.
> Maybe the Debian Policy for Ada should make that more explicit. I
> certainly knew about, and accepted, this limitation all along, and
> yes, it is deliberate. I'm pretty sure the soversion change case was
> considered when the Debian Maintainer status was created.

Ok.

>>> Any maintainer can make his package Build-Depend on gnat, or imitate
>>> a shared library to fake whatever automatic test I can imagine.
>>
>> I think you are implying that Bad Things Can Happen if this rule is
>> accepted; can you be more explicit?
>>
>> For example, how would a malicious DM get malicious code uploaded by
>> this rule, that they can't do now?
>
> I think the danger that DM status prevents is that a malicious DM
> hijack a package that they don't own. There are strict rules for
> non-maintainer uploads; DMs simply cannot do NMUs. I think your
> proposed rule would make it much easier for a DM to hijack a package
> without a formal NMU, e.g. by renaming one of their binary packages to
> a package that already exists.

The proposed rule says the new name has to differ from the old name by
only a number change, so I don't see how this is possible.

-- 
-- Stephe