Re: sponsor rules
On Tue, Jul 17, 2001 at 12:10:18AM -0300, Henrique de Moraes Holschuh wrote:
> On Tue, 17 Jul 2001, "J?rgen A. Erhard" wrote:
> > Or, as Rodney King said: can't we all just get along?
>
> You're kidding, right? :)
>
> > Speaking of rules: where does it say what happens to a regular
> > maintainer when he/she(;-) uploads "such buggy packages"?
>
> If the damage is bad enough, a lot of his Debian maintainer peers will start
> to look down at him/her as a moron. That's bad enough for most people.
When a rgistered developer sanctions a package upload, then that implies
taking responsibility for the package uploaded, I agree. But I wish you
good luck in reminding the cats about their responsibilities. Do mind
that most cats do not like to sit on your lap if you stare at them.
Please don't propose more formalisms that only cloud the view of things.
There is the debian bug tracking system, where anyone alike can
submit bug reports and offer to help fix the bug if it is within that
person's abilities. Others can observe the open reports and may add
their suggestions to any reports. Maintainers (and adopters) have a
convenient self-archiving user feedback system. Users can look for
confirmation of problems experienced and possibly workarounds, as all
the current bug reports are indexed in the major web search engines.
If a maintainer is unresponsive about important bugs, then the affected
packages will, automatically, not appear in testing. So if you keep with
testing, the really bad bugs won't appear on your systems. Of course,
if nobody runs unstable anymore, they will, again. The upload system
can even be made to do accept packages only after succesful lintian
checks and surely, that would catch some bugs, but not all.
If you are concerned about installing binary packages containing software
that you did not verify the sourcecode of and rebuild yourself, then
do not install binary packages from the network. Keep with selfbuilt
packages from stable and trust that there are enough debian users who
casually inspect random pieces of sourcecode and who will raise an issue
in the bts if there is something wrong there.
Perhaps there is some ground for creating a new section "sponsored", next
to the existsing main, contrib and non-free. I'm not really convinced
that this is a good idea, because the sponsored packages should simply
be real debian packages and the sponsorees are intended to become regular
maintainers eventually anyway. I don't like a formalized status aparte,
especially when the formality is pointless. After all, anyone can
maintain their own web accessible package repository and publish a
relevant deb uri for apt.
It is also neither reasonable nor fair to offload the security problems
onto the sponsoring practice wholesale. Any registered debian developer
can suffer a break-in. Any debian hosted machine can suffer a break-in.
At anytime soon. Perhaps it would be more interesting to discuss matters
relating to this, rather than pointing at an easily identifiable group
and thinking that the problem will go away then. Because it will not go
away, it will happen some day. BTW, I like to soothe my worries about
these issues by thinking that I am more likely to be hit by silly postrm
mistakes a la: "rm -rf $base/$dir" with erroneously unset $base and $dir.
And then even more likely is that I will do it myself, using only my
own limited imagination and endless carelessness.
Cheers,
Joost
Reply to: