Re: sponsor rules

To: debian-devel@lists.debian.org
Subject: Re: sponsor rules
From: Joshua Haberman <joshua@haberman.com>
Date: Mon, 16 Jul 2001 21:06:04 -0700
Message-id: <[🔎] 20010716210604.F14158@reverberate.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 17072001.3@wanderer.local.jae.ddns.org>
References: <[🔎] 20010716182817.B21878@darth.ns> <[🔎] 20010716155052.A14158@reverberate.org> <[🔎] 17072001.3@wanderer.local.jae.ddns.org>

* Previously "Jürgen A. Erhard" (juergen.erhard@gmx.net) wrote:
>     Joshua> Any sponsored package is installed into unstable,
>     Joshua> propagated through all the mirrors, and implicitly bears
>     Joshua> the official Debian stamp. Is it really a good idea to
>     Joshua> distribute and endorse the work of someone whose identity
>     Joshua> hasn't yet been verified?
> 
> Let me try a variation of this:

Ikes, I already posted a retraction on the main point, and I've gotten
more replies since than I'd like to count.

>   "Any package is installed into unstable, propagated through all the
>   mirrors, and implicitly bears the official Debian stamp. Is it
>   really a good idea to distribute and endorse the work of someone
>   whose identity hasn't yet been verified?"
> 
> Yes, I know you're part of upstream for audacity (just checked before
> I put my foot where it would impede my speech ;-)
> 
> But... well, do you think *every* maintainer can check *all* upstream
> IDs?

No, and I confess it's not a brightline. The difference in my eyes is
that an upstream package has probably been in open development for at
least several months, representing a great deal of work on the
developer(s)' part. The package has probably gotten at least some outside
use, which would make it likely that it was trojan free at some point.
That's a lot of work over a long period of time that would effectively be
thrown away by the deliberate introduction of a trojan and the smeared
reputation that would result (at least of the software, even if the
author isn't known).

Not to mention that people who put lots of time into creating things and
giving them away are the kind of people I would trust not to be
malicious, in general.

Finally, in the case that some upstream author did decide to introduce a
trojan which made it into Debian, upon discovery it would be clear that
the user's trust in Debian had not been violated, but rather in the trust
in the upstream authors. While it doesn't mean it shouldn't have been
caught, Debian would not be tarnished with the reputation of being
malicious, only careless (which is still an awful reputation, but not as
bad).

On the other hand, a Debian package that contained a trojan could be
created in very little time, with very little investment, and without the
previous testing that upstream software would have gotten. If there is no
way to identify who is creating the package and no reputation on the
line, someone could very easily introduce a trojan under a false name and
suffer no consequences, an enticing opportunity for a bored malicious
person.

HOWEVER, this argument is made moot by the fact that sponsorship entails
carefully inspecting the diff file and accepting responsibility for the
package until the prospective developer is a developer and can take
responsibility of the package themself.

Joshua

-- 
Joshua Haberman  <joshua@haberman.com>

Reply to:

References:
- Re: sponsor rules
  - From: Ari Pollak <compwiz@aripollak.com>
- Re: sponsor rules
  - From: Joshua Haberman <joshua@haberman.com>
- Re: sponsor rules
  - From: "Jürgen A. Erhard" <juergen.erhard@gmx.net>

Prev by Date: Re: Processing of prozilla_1.3.5.2-1_sh.changes
Next by Date: Re: Processing of prozilla_1.3.5.2-1_sh.changes
Previous by thread: Re: Breach of trust and security (was: Re: sponsor rules)
Next by thread: Re: sponsor rules
Index(es):
- Date
- Thread