Re: sponsor rules
On Mon, 16 Jul 2001, Joshua Haberman wrote:
> * Previously Ari Pollak (email@example.com) wrote:
> > > No NM progress -- not even an ID check.
> > This is kind of prejudiced against NMs who do not easily have access to
> > another maintainer for a keysigning
> Any sponsored package is installed into unstable, propagated through all
> the mirrors, and implicitly bears the official Debian stamp. Is it really
> a good idea to distribute and endorse the work of someone whose identity
> hasn't yet been verified?
How is this different than sponsoring a package assembled by any other NM who
has not yet been accepted for maintainership? IMHO, the responsibilities of a
sponsor include *verifying that the package is not malicious*, i.e., comparing
any provided sources against upstream sources and thoroughly reviewing the
contents of the debian diff to check for correctness.
If we are going to assume that someone might try to trojan the distro through
public channels, why would we feel safe that everyone who's able to pass the
ID check is automatically trustworthy? If anything, people who are skilled
enough to pass the ID check using a false ID should give us /more/ cause for
concern, since such a person is not only more likely to be trusted by other
developers, but also more likely to escape justice after the fact.
In any case, no one should ever upload a package that they haven't personally
assured the quality of. This applies equally to sponsored packages and
packages the developer has assembled personally.