[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MIA, Incompetent and holiday-loving maintainers (was: Request for NMUs.)

On Wed, Dec 31, 2003 at 08:28:58PM +0100, Martin Michlmayr wrote:
> you underestimate the complexity of the problem.  While Martin totally
> ignored all the messages I sent him and didn't even react to me
> orphaning some of his packages, he was uploading other packages.  This
> makes it a hard decision to orphan all his stuff, when he's doing some
> work.  At the same time, even though he made uploads, most of the
> packages were still in a bad shape.

We have packages in Debian which are maintained by somebody who is not
contactable. These packages are in a bad shape. The maintainer has had
other packages of his orphaned and has not even reacted.

Am I the only person appauled by this?

I don't think we should be trusting people who do not respond to
emails. Some of his packages have been orphaned, so I'm sure everything
possible has been done to contact him. 

>From a security point of view, every Debian developer must be a trusted
person - they effectively have root access to every Debian sid machine
in the world. It would be easy for any maintainer to add rm -rf / to a
postinst script. This would be picked up and removed from the archive,
but some people would suffer and the Debian project would certainly
suffer when people find out about it. 

IMHO, it would be better to temporarily remove Developers like this from
the keyring and orphan all their packages as soon as we find out about
them. If they respond to this within a few weeks saying why they failed
to respond and repeating their promise to follow Debian rules and also
making one to ask for help when they need it, they should be allowed
back in. 

The trouble with that is that some people would get pissed off. In the
above example, he might say that he won't come back and maintain his
packages. Is that such a bad thing?

We would have one less developer. Some packages which are currently in a
bad shape would get a new maintainer and be fixed. Other packages which
no developers care about may be dropped from Debian. 
>From our users point of view, a few of our packages would be better
maintained (or we wouldn't claim to be maintaining some packages); they
would get responses to bug reports which they file. Potentially, testing
would be more up-to-date and releases may be faster. 
More realistically from the point of view of people who use the packages
which are in a bad shape: Debian would be a much better distribution.
One package pissing somebody off always sticks out more than 100
well-maintained packages.

  .''`. Mark Howard
 : :' :
 `. `'  http://www.tildemh.com 
   `-   mh@debian.org | mh@tildemh.com | mh344@cam.ac.uk 

Reply to: