Re: Proposal for removal of mICQ package
On Thu, Feb 13, 2003 at 08:17:38PM -0600, Manoj Srivastava wrote:
> This time there was not. In extreme reactions in a fit of
> temper, the reactions escalate; the second time you introduce a
> trojan it is less satisfying than it was the first time. How can you
> be sure that the next time, in order to drive the messsage home,
> the trojan would not do rm -rf ~/. ?
> In other words, I find this action a serious breach of trust;
> and I do not think, under our social contract, and in the interest of
> our users, we can let software from this person into Debian unvetted.
I'm of the firm mindset that you should have to pass some sort of test
or get a license to write code that a) runs as root b) interacts w/ the
kernel. By the same token it seems logical that a deb maintainer should
at least test the pkg before it's put in incoming.
Now the brokeness of the mICQ pkg could and *should* have been found by
the maintainer *way* before this ever became an issue. It should have
been worked out by the maintainer and the upstream author. The sheer
fact that it has become an issue shows negligence of the debian
The onus is on the maintainer to maintain a pkg. And by maintain I mean
do more than see if the program compiled and linked, a fairly microsoft
approach to QA.
GPG key available on pgpkeys.mit.edu
pub 1024D/511FBD54 2001-07-23 Timothy Lu Hu Ball <firstname.lastname@example.org>
Key fingerprint = B579 29B0 F6C8 C7AA 3840 E053 FE02 BB97 511F BD54