[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal for removal of mICQ package



On Thu, Feb 13, 2003 at 06:55:54PM +0100, Josselin Mouette wrote:
> You cannot ask the maintainers to review every single line of upstream
> code, especially when it is moving fast (I don't know whether it is the
> case for micq). Or else, we will have to seriously decrease the number
> of packages we provide.

Er, well, I myself do in fact read every line of diff that gets applied
to my XFree86 packages.  That includes the diff between entire versions
when upstream does a release.

It's a good way to learn about how your package works.  Of course, I
also do it because I am pathologically paranoid.

This process isn't perfect; I can't make any guarantee that I won't
catch something sneaky or dumb that has crept into upstream code.
Reading diffs is not the same thing as a code audit.  Still,
intuitively, it seems a lot more likely to catch shenanigans (deliberate
or not) than *not* reading the changes to the package.

I don't know if it's reasonable to expect every package maintainer to do
this, but I sure think it's worth brownie points.

-- 
G. Branden Robinson                |      Never underestimate the power of
Debian GNU/Linux                   |      human stupidity.
branden@debian.org                 |      -- Robert Heinlein
http://people.debian.org/~branden/ |

Attachment: pgpDeLfVdi9WN.pgp
Description: PGP signature


Reply to: