Re: PPAs for Debian
On Wed, May 04, 2011 at 01:23:12AM -0400, Scott Kitterman wrote:
> On Wednesday, May 04, 2011 12:16:54 AM Paul Tagliamonte wrote:
> > On Wed, May 4, 2011 at 12:02 AM, Julien Valroff <firstname.lastname@example.org> wrote:
> > > Le mercredi 04 mai 2011 à 00:02:01 (+0200 CEST), René Mayorga a écrit :
> > >> On Tue, May 03, 2011 at 11:30:41PM +0200, Stefano Zacchiroli wrote:
> > >> > After all, in that respect what is the difference between that and
> > >> > unofficial APT repositories that many of us already maintain at
> > >> > people.d.o/~something or something.debian.net? Do you want to shut
> > >> > them down as well?
> > >>
> > >> no, I was expressing over the PPA as an official services that allow
> > >> users to upload any package without any quality control.
> > >
> > > AFAIU, only DD and DM could create PPA and upload to them. If this is not
> > > the case, then I share your fears.
> > Usage of the PPA system on LP requires that you agree to the usage
> > terms (not unlike machine usage policies for Debian).
> > We let non-MOTU upload to their own PPAs (has their name in the URL),
> > and if nonfree (or malicious) packages are uploaded, they can have PPA
> > rights removed.
> > There's been one issue I can recall, and it was only a very very
> > slight DFSG technicality.
> That depends on what you mean by 'issue'. I think exactly the issues that
> concern some people in Debian about packages of 'poor quality' being generated
> in an uncontrolled PPA system are happening with regularity in Ubuntu.
> Although it doesn't happen every week or anything, it's happened more often
> than I can recall that someone files a bug in Ubuntu about broken PPA packages
> done by some random non-developer. I believe Debian is quite correct to be
> concerned about the potential for user confusion and damage to Debian's
> reputation for high quality work.
> PPAs as a developer tool are one thing, PPAs as a tool for random uploads, I
> think are quite another. I'd hate to see Debian make the same mistake that
> Canonical did in this regard.
Add to that that allowing random people to upload packages to be built
on Debian build daemons is a recipe to have the buildds compromised.