Re: [New maintainer] Working for Debian and becoming a registered Debian developer

[Buddha Buck <bmbuck@zaphod.dhis.org>]

> Now, I am not a 'debian developer' in that I don't have a login on
> the debian machines and thus I don't maintain any pacakges there.
> So feel free to ignore this entire message.
> 
> I don't understand why an application, if sent in proper format, could not
> be automatically processed, provided that it is signed by the pgp key of a
> known developer.  Of course, there is no 'proper format' since this has
> always been done by hand... but since the list of things that need to be
> in an application is so short, I cannot see why it is at all difficult. 

In principle, you are right, but there is the added complication that 
the new maintainers team wants to call you and speak to you in person 
to verify that you do understand the Social Contract and agree to it.  
That's where things slow down.
 
> From the developer's reference, this is what has to be sent:

(rearranged slightly)
 
> Your name.  
> Your preferred login name on master.
> A PGP key signed by any current Debian developer you have met in real life. 
> A keyserver where your public key is available

These are all that is necessary for the -technical- portion of creating 
a new maintainer

> A statement of intention.
> A statement that you have read and agree to uphold the Debian Social Contract. 
> A phone number where we can call you. 
> The magic words "I affirm that I believe in the Debian Social contract, 
>                  and agree to fight all its foes until I die"

Um... I think that the last one is a bit strong, but the rest is 
necessary to match the stated ideology of this distribution -- a 
commitment to free software, especially as embodied in the Social 
Contract and DSFG.

> So all that the program would have to do is:
>   1) get public key
>   2) verify signature of user
>   3) verify signature of debian developer
>   4) adduser foo (random password)
>   4b) encrypt password with public key of new user, so that
>       new user can decrypt it later
>   5) mail -s "You're a developer now!" new_user@bar 
>   6) mail -s "New developer added: $foo" new_maint@debian.org 
> 
> This is not an overly challenging program to write.  The fact that it
> still is not written is testament to an underlying ideology of this
> distribution:
> 
> You want to make it hard for new maintainers to join debian.  Moreover,
> you want them to do what YOU want them to do (WNPP), rather than
> whatever else they are interested in.  If they don't want to do what YOU
> want, then they are not allowed to play.  

If this is the intent, then it has managed to elude me in my four years 
of following Debian.  In fact, every time it is raised to make it 
official policy to do exactly that, there is enough opposition to 
prevent it from happening.  The bottom line is:  This is a distribution 
done by volunteers.  And you fundamentally can not tell volunteers to 
do something they don't want to do -- if you try, they opt out.

I have not seen anything implying that it is a policy, official or 
otherwise, to make it hard to become a Debian developer, except as 
necessary to verify identity and commitment to the Social Contract and 
understanding of the DSFG.

(Note:  I am not now, nor have I ever been a Debian Developer.  I have, 
however, used Debian for over three years and have followed the policy 
discussions of Debian for the entire time.  Unless my memory fails me, 
my involvement in Debian predates the Social Contract and the DSFG, so 
I believe that I know what Debian stands for, and what principles have 
guided it.)

> 'Application' is a very strange word for something that is essence of the
> open-source movement:  the ability to assist with the development of your
> software.  

Most free software projects have some policy, formal or otherwise, for 
controlling who can and cannot commit something to the released project 
(for lack of a better word).  I think most would agree that such 
control is necessary to prevent malicious changes, etc.  Usually, it is 
a central person (such as Linus Torvalds or Brent Welch) who controls 
what patches get applied to the project.  Other projects use restricted 
CVS access to limit who can directly contribute.

Debian probably has more active developers with direct commit ability 
than most, if not all, other open software projects.  Granted, it's a 
distribution rather than a single program, which makes it easier.  
Still, such controls have to be formalized in order to scale well.  
Sure, the project is bureaucratic, but bureaucracies exist to deal with 
large numbers of people, like Debian has to.

> I can see the benefits you think that you gain from this.  But I do not
> think that you consider the cost of potential effort that is thwarted
> when people find it difficult to join and go elsewhere where they
> are welcomed rather than shunned or marginalized.

These issues are raised every time this comes up.  We aren't ignoring 
them, but there are no easy answers, either.


> 
> Carl
> 

-- 
     Buddha Buck                      bmbuck@zaphid.dhis.edu
"Just as the strength of the Internet is chaos, so the strength of our
liberty depends upon the chaos and cacaphony of the unfettered speech
the First Amendment protects."  -- A.L.A. v. U.S. Dept. of Justice