>>>>> "Susan" == Susan G Kleinmann <sgk@kleinmann.com> writes:
Susan> When I tried to download and install 'foo', I quickly
Susan> discovered that its dependencies were not satisfied by
Susan> other packages in the archive, so of course it couldn't be
Susan> installed (i.e., using Debian packaging tools, without
Susan> using --force).
So what else is new? Three packages that are not installable ATM:
evolution: depends on libgal* and that is not there *anymore*.
qf-data-openquartz... let's not talk about that.
openacs: hmm, postgresqll-pl is gone...
All of these are by regular maintainers.
The first two are broken for some time now. (Not just a measly 7 days).
So what again is your point?
Susan> -- the package was developed by someone who has applied to be a new
Susan> maintainer, but who has not gotten very far on that process yet;
Susan> in fact, the database showed that even his ID hasn't been checked yet!
Sometimes, as others have already mentioned, the ID check is the
hardest to muster, so "not even that" is not very apt.
Susan> -- the package (or any near relative as far as I can tell) was not ever
Susan> announced in the WNPP.
Oooh, that's certainly a punishable crime...
Susan> Apparently, the package was sponsored by some debian
Susan> developer who didn't have much time to make _any_ checks on
Susan> it before sponsoring it.
*This* is a problem, yes.
But: first you could ask the sponsor personally before publically
raising a stink.
*Then*, if the reply by the sponsor is not to your satisfaction, you
can raise a stink all you want.
And: what would have happened had a regular maintainer produced this?
Was it in any way dangerous... or just annoying? (Oh, I've seen my
share of buggy, annoying packages in my time... *long* before the
sponsoring began).
Susan> This leads me to the question, what are the rules for
Susan> sponsorship? I couldn't find the word 'sponsor' in any of
Susan> the files in either of: --developers-reference (version
Susan> 2.8.7), or --debian-policy (version 3.5.5.0).
Sponsoring is not (yet?) an official "duty" (neither is it a revocable
priviledge... in fact, there are many revocables for a maintainer
anyway).
Susan> If there are no rules for sponsorship, and no consequences
Susan> for sponsoring blatantly buggy packages, then I guess each
Susan> user simply has to develop his own experience database wrt
Susan> maintainers whose packages can be trusted [1].
Just as with packages a maintainer does on his own, neither as sponsor
nor as sponsee (that a word?).
Really, why are sponsored packages so different from non-sponsored
packages? A maintainer is simply responsible for the packages he
uploads... what does it matter who actually produced them?
Try a little experiment: look at a non-sponsored package (done
completely, from upstream source to .deb, by a regular maintainer), as
a sponsored package... yep, because it's simply injecting the upstream
stuff into the Debian mirror system.
Now... I applaud grisu for checking the sponsee's diff line-by-line.
But... does he do the same for his upstream sources? Do you? Do any
other maintainers do that?
And concerning ID... who knows the real name of Nmap's author (who I
only know as Fyodor)? Who even knows what he looks like? Have you
used Nmap? Have you checked the source, line-by-fucking-line?
Susan> This whole experience seemed like an awfully big hole in
Susan> the debian packaging/archiving policies; if I missed
Susan> something, I'd very much appreciate being corrected.
<cynical>Yep, the Debian Law has some awful holes. Might be because
we're still not a big huge bureaucracy, and still believe in some
common sense and volunteer(!) cooperation.</cynical>
Or, as Rodney King said: can't we all just get along?
Speaking of rules: where does it say what happens to a regular
maintainer when he/she(;-) uploads "such buggy packages"?
40 lashings with a wet noodle? Never seen such a clause...
Bye, J
--
Jürgen A. Erhard (juergen.erhard@gmx.net, jae@users.sourceforge.net)
MARS: http://members.tripod.com/Juergen_Erhard/mars_index.html
Stop the execution of Mumia Abu-Jamal! (http://www.freemumia.org)
pros do it for money -- amateurs out of love.
Attachment:
pgpaGPQJmrcwq.pgp
Description: PGP signature