[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal for removal of mICQ package

On Fri, Feb 14, 2003 at 01:18:56PM +1000, Anthony Towns wrote:

> > > As far as avoiding getting trojan horses in the distribution goes, isn't
> > > that why we have maintainers?
> > It is certainly the case that a maintainer is responsible for making sure
> > the uploaded packages are sound, but I think we need to face facts here:
> > we don't have so many skilled developers that we can reasonably expect to
> > audit the diffs of every new upstream release that's uploaded into our
> > archive.  

> See, I find that claim, and the fact that people seem so willing to
> accept it, a lot more concerning than some stupid obfuscated printf and
> exit making it into unstable.

What are we going to give up to get developers to spend this time
auditing their packages?  Package count?  QA?  Maintainer sanity ("job

Flamewars? :)

I don't know that there are many developers among us who aren't already
dedicating as much time to Debian as they're willing/able.  If there
aren't, something has to give somewhere else.  1-2 hours per upstream
release per package can add up rather quickly.

> > We are very much exposed where upstreams are concerned, and the
> > best way to protect against that is to make sure we know and trust our
> > upstreams (and, be able to know and trust the origins of the tarball
> > we're downloading).  

> This isn't possible. For example, we'll lose a lot more software if we
> drop every upstream that doesn't have an md5sum file that's signed by
> a key connected to our web of trust, than if we just insist on maintainers
> auditing every update they do to their package.

And if we already have trusted, signed md5sum files?

Steve Langasek
postmodern programmer

Attachment: pgpR2cm5wJYqK.pgp
Description: PGP signature

Reply to: