Re: [New maintainer] Working for Debian and becoming a registered Debian developer
tony mancill <tmancill@mancill.com> writes:
> > On 28 Jul 1999, Goswin Brederlow wrote:
> > > If a sponsor has to read everything I write to check for backdors, he
> > > could probably write the stuff himself and if he doesn't read it,
> > > security is lost.
>
> Uh, why doesn't the sponsor just read the diff.gz to check for backdoors?
Because it might be a new package altogether. In case of bugfixes
looking at the changes is enough and the maintainer I know did that
for some bugs I tackeled and gave me hints how to fix it as well.
> The sponsoree cannot prevent the sponsor from comparing the orignal source
> to the tarball being submitted. I think that security is not a real
> concern. After all, the source and the BTS are available to everyone.
>
> I think that a period of mentorship/sponsorship would be positive for
mentorship yes, sponsorship no. Sponsorship, in my eyes, would mean
that the maintainer is responsible for the stuff his sponsory (or
whatever you call him) does, since the sponsory can't upload anything
in his own name. Any bugs or bad habits in the uploads will shoot back
at the maintainer sponsoring.
> And to your point on security, the new-maintainer interview process is not
> that rigorous. Sponsorship would allow Debian maintainers to detect
> people with bogus intentions (if that's what you're worried about)
> *before* they became official maintainers.
Bud it would draw a bad light on the sponsor as well. New maintainer
could be prevented to do non-maintainer uploads or could be forced to
upload to a different area (e.g. experimental) until their work has
been looked at by some people. Actually any new package should go to
experimental first, so in fact that rule should be in force by
convention already for any package a new maintainer might submit.
For orphaned packages a new maintainer could be given a mentor, but I
think that to force that would be bad.
May your Source be with you.
Goswin
Reply to: