On Thu, Feb 13, 2003 at 06:55:54PM +0100, Josselin Mouette wrote: > You cannot ask the maintainers to review every single line of upstream > code, especially when it is moving fast (I don't know whether it is the > case for micq). Or else, we will have to seriously decrease the number > of packages we provide. Er, well, I myself do in fact read every line of diff that gets applied to my XFree86 packages. That includes the diff between entire versions when upstream does a release. It's a good way to learn about how your package works. Of course, I also do it because I am pathologically paranoid. This process isn't perfect; I can't make any guarantee that I won't catch something sneaky or dumb that has crept into upstream code. Reading diffs is not the same thing as a code audit. Still, intuitively, it seems a lot more likely to catch shenanigans (deliberate or not) than *not* reading the changes to the package. I don't know if it's reasonable to expect every package maintainer to do this, but I sure think it's worth brownie points. -- G. Branden Robinson | Never underestimate the power of Debian GNU/Linux | human stupidity. branden@debian.org | -- Robert Heinlein http://people.debian.org/~branden/ |
Attachment:
pgpDeLfVdi9WN.pgp
Description: PGP signature