Hi, While sponsoring the new version of hex-a-hop, I encountered XS-DM-Upload-Allowed: yes Jens told me Miriam added this, not only there but also to many other packages. I removed it for the upload, and want to ask to remove them from the others as well. I'll explain here why. First of all, I'm a big proponent of the Debian Maintainer idea, and I think it would be very good to use this system also within the games team. However, it is important to know that this is about trust. Becoming a Debian Maintainer means you can upload some packages directly into the Debian archive, without a Debian Developer looking at them. Debian Developers have been "screened" by the NM process, and considered trustworthy. The sponsoring system uses this fact to allow others to prepare packages for the archive. They must then be checked by a Developer before they can enter. The problem that the Debian Maintainer idea is solving is that of a sponsor who has checked and found acceptable packages from some person, but this person doesn't want to become a Debian Developer (or is still in the queue). Then the sponsor may get tired of it, and the packager may get tired of waiting for the sponsor every time. That is no longer the case if the packager becomes a Debian Maintainer for the package. Because it's easier to become a DM than to become a DD, there are some technical barriers set up to prevent abuse of this system. These are: - It's (a bit) hard to become a DM. You need some people advocating you, and no people against it. And you need to accept the usual stuff (social contract, machine usage policy). - You can only upload your own packages. Those are the ones which have your name on them (in the version that's already in the archive). - You can only upload packages which are marked as "acceptable for DM upload" using the tag this message is about. (Well, without XS, so these tags don't do anything, but they suggest that adding the real tag is a detail). All three of these are important barriers IMO. They are all intended to prevent abuse. The first by not letting irresponsible people touch anything. The second by disallowing random changes all over the place (also to packages of other DMs), and the third by requiring explicit consent from a DD (the sponsor) for any package which may be touched. The abuse that can be done by adding these tags (without discussing with the sponsor) may not be huge, but it is not negligible either. And there is no reason the sponsor shouldn't specifically be told (and agree) when this happens. So I strongly suggest to remove them everywhere until there is agreement with the sponsor that this is a good idea for the specific package where the tag is added. And when it happens, it's a pretty big thing, so it should certainly be in debian/changelog. Finally, I'm trying not to sound too much like a policeman. If you disagree with my opinion, please reply and say why. These things can be discussed. :-) Thanks, Bas Ps: I am aware that there is currently no implementation for uploading by DMs. But when preparing for when that is done, we should consider things as if it's done already. -- I encourage people to send encrypted e-mail (see http://www.gnupg.org). If you have problems reading my e-mail, use a better reader. Please send the central message of e-mails as plain text in the message body, not as HTML and definitely not as MS Word. Please do not use the MS Word format for attachments either. For more information, see http://pcbcn10.phys.rug.nl/e-mail.html
Attachment:
signature.asc
Description: Digital signature