Re: New General resolution proposed
On Mon, Feb 12, 2007 at 11:24:07AM -0800, Joe Buck wrote:
> On Mon, Feb 12, 2007 at 07:10:36PM +0000, Bill Allombert wrote:
> > On Mon, Feb 12, 2007 at 10:05:26AM -0800, Joe Buck wrote:
> The check, though, only compares the names of the source packages to the
> the names of the binary packages, so the system trusts those who upload
> only binaries to upload the right binaries (binaries that truly correspond
> to the source). Right now, those who run auto-builders are trusted, but
> the GR proposes to trust all developers. Right?
Not exactly, all developers are trusted but for the arm and alpha
architecture and even this restriction was only added in late December.
The check compare the name and the version. The exact same check is
used for binary packages part of a sourceful upload.
It is not easier for a malicious developer to build a binary package
which does not match the source it pretends to be a build and upload it
as part of a sourceless upload than as part of a sourceful upload.
(see dpkg-genchanges(1) for technical details).
> > The GR only addresses the non-technical issue of whether Debian
> > developers should be allowed to perform the upload, not whether the
> > packages will be accepted in the archive, as long as the motive for
> > rejection is not the identity of the submitters.
> Is the idea to get around bottlenecks caused by too few authorized people
> for a given arch?
No, that would a technical reason. This GR is purely non-technical
as far as I am concerned.
Imagine a large blue swirl here.