Hi,
While sponsoring the new version of hex-a-hop, I encountered
XS-DM-Upload-Allowed: yes
Jens told me Miriam added this, not only there but also to many other
packages. I removed it for the upload, and want to ask to remove them
from the others as well. I'll explain here why.
First of all, I'm a big proponent of the Debian Maintainer idea, and I
think it would be very good to use this system also within the games
team.
However, it is important to know that this is about trust. Becoming a
Debian Maintainer means you can upload some packages directly into the
Debian archive, without a Debian Developer looking at them. Debian
Developers have been "screened" by the NM process, and considered
trustworthy. The sponsoring system uses this fact to allow others to
prepare packages for the archive. They must then be checked by a
Developer before they can enter.
The problem that the Debian Maintainer idea is solving is that of a
sponsor who has checked and found acceptable packages from some person,
but this person doesn't want to become a Debian Developer (or is still
in the queue). Then the sponsor may get tired of it, and the packager
may get tired of waiting for the sponsor every time. That is no longer
the case if the packager becomes a Debian Maintainer for the package.
Because it's easier to become a DM than to become a DD, there are some
technical barriers set up to prevent abuse of this system. These are:
- It's (a bit) hard to become a DM. You need some people advocating
you, and no people against it. And you need to accept the usual stuff
(social contract, machine usage policy).
- You can only upload your own packages. Those are the ones which have
your name on them (in the version that's already in the archive).
- You can only upload packages which are marked as "acceptable for DM
upload" using the tag this message is about. (Well, without XS, so
these tags don't do anything, but they suggest that adding the real
tag is a detail).
All three of these are important barriers IMO. They are all intended to
prevent abuse. The first by not letting irresponsible people touch
anything. The second by disallowing random changes all over the place
(also to packages of other DMs), and the third by requiring explicit
consent from a DD (the sponsor) for any package which may be touched.
The abuse that can be done by adding these tags (without discussing with
the sponsor) may not be huge, but it is not negligible either. And
there is no reason the sponsor shouldn't specifically be told (and
agree) when this happens. So I strongly suggest to remove them
everywhere until there is agreement with the sponsor that this is a good
idea for the specific package where the tag is added.
And when it happens, it's a pretty big thing, so it should certainly be
in debian/changelog.
Finally, I'm trying not to sound too much like a policeman. If you
disagree with my opinion, please reply and say why. These things can be
discussed. :-)
Thanks,
Bas
Ps: I am aware that there is currently no implementation for uploading
by DMs. But when preparing for when that is done, we should
consider things as if it's done already.
--
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://pcbcn10.phys.rug.nl/e-mail.html
Attachment:
signature.asc
Description: Digital signature