[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#207300: tmda: Challenge-response is fundamentally broken



This one time, at band camp, Joey Hess said:
> 
> I don't think that TMDA is yet enough of a problem for this to be a big
> deal, but I think it has the potential to become one. Debian as a whole
> is empowered to override the wishes of one maintainer, if it turns out
> that the software he is packaging is detrimental to the distribution as
> a whole. We do not let maintainers package software in us/main that puts
> us at risk of copyright infringement, or certian patent infringements,
> or in the past, crypto that cannot be exported. If we find that TMDA has
> the potential to cause significant problems for the project, we can
> certianly decide that we will not promote it or distribute it, and we
> can warn our users not to use it in communication with the project.

Let me start by saying I absolutely hate C-R systems, and give up on
communicating with people who use them.  That being said, I think the
argument you're making is a slippery slope, and is not something I'm
entirely comfortable with.

The project certainly can and should prohibit maintainers from uploading
things that will cause problems for the project (crypto, copyright
infringement, etc.), but that is a different case than this.
Distributing TMDA doesn't infringe copyrights, and is not illegal, at
least AFAIK.  The fact that it is distasteful to me personally (and
clearly, many others) is a sad thing, but not RC quality.  Remember
that we explicitly state in the Social Contract that we allow groups like
the KKK to use our software for distasteful ends.

I think that either a large warning on bugs.d.o about the use of C-R
systems in corrspondence, or a similar warning in the description of
TMDA would suffice.  I am not familiar with TMDA, so I may be wrong, but
couldn't it be shipped with a default of not issuing a C-R, and have a
note in README.Debian about how to do enable it, with the caveat that
using C-R for BTS correspondence will likely result in ignored bug
reports and problems for the project?

Just some thoughts,
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------

Attachment: pgpmygflG8j0P.pgp
Description: PGP signature


Reply to: