Re: RFC: Central version control for Debian
On Wed, Jan 31, 2001 at 10:55:31PM +0200, Moshe Zadka wrote:
> On Mon, 29 Jan 2001 16:54:16 -0500, Matt Zimmerman <email@example.com> wrote:
> > etc., etc. The biggest barrier to making this work seems to be deciding who
> > should be able to commit changes where. CVS may not currently be flexible
> > enough for our needs; it would be nice, for example, if certain users (the
> > security team) were able to create a branch for a package, but not trample
> > over the maintainer's current stuff.
> I may be reading you wrong here, but I'm not sure you need enough flexibility
> in CVS if you trust the developers: put it up with wide open permissions
> to the developers, and have a clear policy which it is up for the people
> to enforce on themselves. That's the way the Python development is organized,
> and it seems to be going great.
Debian has many more developers (probably) working on a much larger code base
(definitely). For a developer to sign a source package with her key, she must
have first-hand knowledge of all changes to the source. Imagine a malicious
user making direct changes to the CVS repository; this change would be almost
impossible to detect.