>>>>> "Susan" == Susan G Kleinmann <sgk@kleinmann.com> writes: Susan> When I tried to download and install 'foo', I quickly Susan> discovered that its dependencies were not satisfied by Susan> other packages in the archive, so of course it couldn't be Susan> installed (i.e., using Debian packaging tools, without Susan> using --force). So what else is new? Three packages that are not installable ATM: evolution: depends on libgal* and that is not there *anymore*. qf-data-openquartz... let's not talk about that. openacs: hmm, postgresqll-pl is gone... All of these are by regular maintainers. The first two are broken for some time now. (Not just a measly 7 days). So what again is your point? Susan> -- the package was developed by someone who has applied to be a new Susan> maintainer, but who has not gotten very far on that process yet; Susan> in fact, the database showed that even his ID hasn't been checked yet! Sometimes, as others have already mentioned, the ID check is the hardest to muster, so "not even that" is not very apt. Susan> -- the package (or any near relative as far as I can tell) was not ever Susan> announced in the WNPP. Oooh, that's certainly a punishable crime... Susan> Apparently, the package was sponsored by some debian Susan> developer who didn't have much time to make _any_ checks on Susan> it before sponsoring it. *This* is a problem, yes. But: first you could ask the sponsor personally before publically raising a stink. *Then*, if the reply by the sponsor is not to your satisfaction, you can raise a stink all you want. And: what would have happened had a regular maintainer produced this? Was it in any way dangerous... or just annoying? (Oh, I've seen my share of buggy, annoying packages in my time... *long* before the sponsoring began). Susan> This leads me to the question, what are the rules for Susan> sponsorship? I couldn't find the word 'sponsor' in any of Susan> the files in either of: --developers-reference (version Susan> 2.8.7), or --debian-policy (version 3.5.5.0). Sponsoring is not (yet?) an official "duty" (neither is it a revocable priviledge... in fact, there are many revocables for a maintainer anyway). Susan> If there are no rules for sponsorship, and no consequences Susan> for sponsoring blatantly buggy packages, then I guess each Susan> user simply has to develop his own experience database wrt Susan> maintainers whose packages can be trusted [1]. Just as with packages a maintainer does on his own, neither as sponsor nor as sponsee (that a word?). Really, why are sponsored packages so different from non-sponsored packages? A maintainer is simply responsible for the packages he uploads... what does it matter who actually produced them? Try a little experiment: look at a non-sponsored package (done completely, from upstream source to .deb, by a regular maintainer), as a sponsored package... yep, because it's simply injecting the upstream stuff into the Debian mirror system. Now... I applaud grisu for checking the sponsee's diff line-by-line. But... does he do the same for his upstream sources? Do you? Do any other maintainers do that? And concerning ID... who knows the real name of Nmap's author (who I only know as Fyodor)? Who even knows what he looks like? Have you used Nmap? Have you checked the source, line-by-fucking-line? Susan> This whole experience seemed like an awfully big hole in Susan> the debian packaging/archiving policies; if I missed Susan> something, I'd very much appreciate being corrected. <cynical>Yep, the Debian Law has some awful holes. Might be because we're still not a big huge bureaucracy, and still believe in some common sense and volunteer(!) cooperation.</cynical> Or, as Rodney King said: can't we all just get along? Speaking of rules: where does it say what happens to a regular maintainer when he/she(;-) uploads "such buggy packages"? 40 lashings with a wet noodle? Never seen such a clause... Bye, J -- Jürgen A. Erhard (juergen.erhard@gmx.net, jae@users.sourceforge.net) MARS: http://members.tripod.com/Juergen_Erhard/mars_index.html Stop the execution of Mumia Abu-Jamal! (http://www.freemumia.org) pros do it for money -- amateurs out of love.
Attachment:
pgpaGPQJmrcwq.pgp
Description: PGP signature