On Wed, Sep 08, 2010 at 04:58:21PM -0400, Joey Hess wrote:
> Incoming code of possible security significance should be reviewed for
> at least common classes of security holes. Instead, we get a thread where
> the ITPer is required to prove that nothing in Debian can do what his
> package does.
You got me. I'm convinced by these arguments.
Still, they account for a possibly inflated perception of the trade-off
between security *risks* and the benefits of having a new package in the
archive. That trade-off is not the same as the trade-off between
security *work* and the benefits of introducing a new package. That is
to say that arguably the security team will have to fix anyhow a
security fix in woof, even if its impact is much lower than the impact
of a security hole exploitable in the default Apache configuration.
But once more you're right: it is not up to us here to say which
packages are acceptable from the POV of the security team. I can just
comment that my, probably inflated, perception of the extra burden is
not based only on my personal beliefs. My perception is also based on
past comments (and talks) on the subject by the security team, where the
"yet another web server" example was frequently cited, at least in my
recalling.
I also agree that the default mood (or culture as you call it) "against"
ITPs is probably excessive, but we should not give up on requiring
adherences to best ITP practices. In particular, a review of
alternatives available in the archive is something I do expect from
ITP-ers of *any* software, whether it's security-sensitive or not.
Similarly, documenting in the long description reasons for choosing the
package over its alternatives is something to be expected as well. For
woof, it might be written as simply as you just did, but it's still
something this ITP is waiting for.
Bottom line: this thread could have probably been spared entirely, by
providing a long description matching the above criteria since the
beginning.
Cheers.
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Quando anche i santi ti voltano le spalle, | . |. I've fans everywhere
ti resta John Fante -- V. Caposella .......| ..: |.......... -- C. Adams
Attachment:
signature.asc
Description: Digital signature