[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Breach of trust and security (was: Re: sponsor rules)



On Sun, 22 Jul 2001, Daniel Stone wrote:
> On Tue, Jul 17, 2001 at 12:00:10AM -0300, Henrique de Moraes Holschuh wrote:
> > Mr. Sponsor, do not do it again.  Mr. NM, get out of our sights for 1 month
> > and learn to package well while at it -- we all will be better off if you
> > do.  Mr. hmh, go to bed; you're ranting again.
> 
> DDs don't have a magical +50 Ring of Not Fucking Up. There are various

Some people simply cannot understand, no matter how much one explains.

I am *NOT* complaining of fuck ups here, damn it! Nor are most of the other
emails in the thread. This thread is about the sheer irresponsability of
uploading something, from someone which is not yet trusted by the project,
WITHOUT EVEN CHECKING IT FIRST!

Is it that difficult to understand?  Who cares if it was a broken upload or
not?  The problem is that said DD broke our trust when he sponsored someone
without looking at what he was forwarding to the archive.  If the packages
were not broken (in fact, even if they fixed dselect's Recommends: annoyance
or made KDE/GNOME use only 1MB core), it would still be a breach of trust.

Stop caring about hurt egos, and look at the problem with a professional
clinical eye.  Debian DDs have a responsability with the project, and all
the users of Debian. This responsability is to be taken very seriously.

As for the NM, he doesn't know how to package yet, so he should learn how
to. 1 Month is about the time I'd expect someone to learn all the little
details of Debian packaging. I won't ask from where you pulled the idea this
was a punishment.

> But, just remember - there have been some legendary fuck-ups. By DDs. Should
> they, too, go away for a month?

If they upload ***untrusted*** holy code to the archive, no matter how much
magic smoke and penguin pee it contains -- without checking it, and
recompiling it first?

Yes, they deserve an extremely painful LART.  If such an upload was indeed a
trojan, I'd expect the sponsor DD to be given two choices: publish a public
apology letter, signed, on debian-announce... or leave the project for a
very long while [read: some years] (the NM who asked a trojan to be
sponsored would be rejected, obviously, as long as it was not done on
purpose).

I doubt we'd have many unchecked sponsor uploads for a while if that
happened, and this is the whole reason for doing it, in the end --
punishment is utterly useless if it does not educate (unless you're a
sadist, but I shall leave the perverts out of this thread).

Now let's go back to more productive Debian work. Please.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Attachment: pgpBUI4BV9gax.pgp
Description: PGP signature


Reply to: