[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FTP Team -- call for volunteers

On Sun, Mar 15, 2020 at 07:52:06PM +0000, Neil McGovern wrote:
> In theory, yes - this would move the liability to the uploader. However,
> there are two issues with this:
> 1) The liability now rests with the uploader. This isn't something that
> has really been done before, and we'd need to make sure that we're
> comfortable with this.

The uploader has *already* distributed the package by uploading it to
ftp.debian.org.  So the uploader already has any (99.99% of the time,
completely non-existent) liability.  If the uploader is using github,
or salsa, they've also *already* distributed it.  And I'll note that
the salsa admins don't be as concerned about potential liability to
Debian compared to the ftp team when a maintainer uploads a package
with a shared library version bump so that there's a new package,
libfoo4 instead of libfoo3.

> 2) We would be very limited in what checks we could actually do on new
> packages. If we look too closely at packages, we stop being a
> distributor, and start being a publisher. I'm not sure that we want to
> move towards just being a distribution platform, rather than actually
> doing QA checks.

I'm confused.  As near as I can tell, we already are looking super
closely at new packages.

						- Ted

Reply to: