Re: security in testing
On Thu, 15 May 2003 09:52:06 -0400, Theodore Ts'o <tytso@mit.edu> said:
> Um, when we all agreed to be Debian Developers, we agreed to the
> following from the social contract:
> * Our Priorities are Our Users and Free Software
> We will be guided by the needs of our users and the
> free-software community. We will place their interests first
> in our priorities. We will support the needs of our users for
> operation in many different kinds of computing
> environment.....
> So what does that mean? If the we define "our users" as ourselves,
> then the social contract reduces to "we will place our interests
> first in our priorities", and that doesn't sound so good, does it?
> :-)
Welcome to the reality of the situation. While we have
all agreed to put the needs of our users high on the list; ultimately
what I work on, and how much work I put in, depends on my interest,
the demands of home, work, and family, and motivation. Human nature
being what it is, the tendency is to perform tasks that really
interest one.
The social contract is a highly idealized goal; and while I do
strive for taking care of _all_ user needs, I can't; indeed, that is
technically impossible. Given scarce resources, I selfishly first
satisfy the class of users to which I elong; and then, with whatever
time, motivation and energy I have left I cater to others.
Does this mean I am disavowing the social contract? no. It
means that I am triaging the problems according to my own criteria.
> If our users include those who want something that is less stale
> than "stable", but where they don't want to deal with having to
> stich together their system after an update to perl or lilo leaves
> their system completely unusable, how do we meet their needs? There
Not all the people can get what they want. Or do you really
think there is a plethora of free lunches?
> are certainly disagreements at the tactical level (we could solve
> this problem by applying pressure to people to not upload broken
> packages to unstable;
Effectively killing Debian through ossification.
> we could solve the problem by fixing enough RC bugs that packages
> flow into testing much more reliably and quickly;
I have no fault to find with this solution. Is it likely, in
practice, to be better than the current situation? Hah!
> we could solve the problem by recruiting people to upload into
> "testing-security").
If you can get enough competent volunteers, this is great.
> But the first question before we discuss tactics is whether or not
> we "should" do it. Does the fact that we've accept the Social
> Contract put any kind of moral claim on what we as an organization
> do? If the question to that question is yes, then individual
> developers will need to search their souls and decide whether or not
> this means they are feeling called to put in the time to fix an RC
> bug, or work to NMU or otherwise clear a blocked, critical package,
> or contribute to security or testing-security, or do something else
> to further the goal.
*Shrug(. I personally feel this is a good thing, though I
place it lower down in the priority queue that getting the best
possible _released_ version, and supporting stable versions.
>> I'd argue that the converse is more important. [Unless most
>> developers do everything they do for purely altruistic reasons. I
>> know I do what I do for selfish reasons first.]
> That may be true, but the ideals articulated in the Social Contract
> aspire to something a higher more than that.
I am not so sure. I am not sure altruism is either workable,
or, in the long term, unequivocally laudable. But we are drifting
rather far afield.
manoj
--
The truth of a thing is the feel of it, not the think of it. Stanley
Kubrick
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: