[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal for removal of mICQ package

On Fri, 2003-02-14 at 04:36, Russell Coker wrote:
> On Fri, 14 Feb 2003 04:18, Anthony Towns wrote:
> > > It is certainly the case that a maintainer is responsible for making sure
> > > the uploaded packages are sound, but I think we need to face facts here:
> > > we don't have so many skilled developers that we can reasonably expect to
> > > audit the diffs of every new upstream release that's uploaded into our
> > > archive.  
> >
> > See, I find that claim, and the fact that people seem so willing to
> > accept it, a lot more concerning than some stupid obfuscated printf and
> > exit making it into unstable.
> On a few occasions I have expressed the opinion that Debian developers should 
> be programmers and should have basic programming skills in the language of 
> the program that they are packaging.
> On every occasion I was flamed by developers who do not meet those criteria.
> There seems to be a reasonable number of people who have the opinion that 
> being capable of auditing the code is not a requirement.  People who are 
> capable of auditing such code won't necessarily have time to do so either...

It's more than just auditing. You have to be able to filter patches for
upstream, know how the program interacts with the language's facilities
(eg, if you maintain a C++ package, understand the ABI changes, if you
maintain a Perl package, know Perl's module structure and the Perl
policy), and be helpful to upstream in mediating bug reports (e.g.
translate "It crashes on start" to "it dereferences a null pointer on
line 25").

None of these are particularly difficult tasks. Checking diffs between
versions for odd-looking code would've caught this one. Greps for any
calls to system or exec would turn up other "simple" trojans. Neither of
these requires being an expert in the language. Any C programmer with
more than a few weeks of experience would've noticed something was odd
in the mICQ code, even if they couldn't figure out what it actually did.

If a developer doesn't know the language of the package they're
maintaining with basic fluency, they shouldn't be maintaining it. When I
decided to maintain the pyddr package, the first thing I did (before
even mkdir debian/) was to learn Python.
Joe Wreschnig <piman@debian.org>

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: