Re: We have a problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, May 06, 2015 at 08:10:13PM +0200, John Paul Adrian Glaubitz wrote:
> Date: Wed, 6 May 2015 20:10:13 +0200
> From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
> Subject: Re: We have a problem
> To: Patrick Ouellette <pouelle@debian.org>
> Cc: Debian Hamradio Maintainers <debian-hams@lists.debian.org>
>
> On 05/06/2015 08:00 PM, Patrick Ouellette wrote:
> >> But as you can see, even his AM disagrees with you.
> >
> >
> > Not entirely an accurate statement. His AM was wondering why I
> > was CCin him on the ham radio issue. I have discussed it in
> > private email with him. If he wants to make it public he may.
>
> Could you please stop with your dubious private mails? If you need to
> complain about a fellow DM or DD, do it in front of them, not behind
> their back.
>
So I'm not to respect the privacy of others. And now you chide me for
not discussing things in front of the person when the whole thread started
*because* I publicly expressed my concerns about a person and publicly
CC'd people so the person would be aware who I was talking to.
> > Having been an AM I can attest that it is much easier to put
> > together the report package if you have input from the developer
> > community (good and bad) about an applicant.
> >
> > At the end of the process, the AM is asked to recommend (or not)
> > the applicant. This is not something that should be done lightly.
>
> Yes, thank you, I know how the AM process works. You know, I happen to
> be a DD as well.
>
> > debian-hams is the ham radio maintainer list open to anyone. It is
> > the email address associated with the hamradio maintainers. The
> > uploaders list shows the Debian people actually interested in
> > working on the package (and presumable subscribed to the email
> > list). Is that a better explanation for you?
>
> No, uploaders is the list of people who are UPLOADING the package,
> hence the name.
>
Uploaders is the list of people co-maintaining the package and who have the
permission to upload without considering it an NMU.
> > That is kind of the point - he didn't even bother to send a message
> > to the list. I saw the report from the archive when the new
> > package was uploaded. There was a not in the change log about
> > updating the uploaders list. I had to go to the archive and grab
> > the change log to find out I was removed from it.
>
> But again, you were never the active maintainer of this package so you
> have no reason to complain. Period.
>
> >> Ask regarding what? Regarding the new upstream version?
> >
> >
> > Ask (or even notify) the people he was removing from the package
> > uploaders list.
>
> You. Were. Not. An. Uploader. Period.
>
I was a person who accepted the responsibility to co-maintain the
package.
> >> Then these people should post to the debian-hams mailing list
> >> because, as you can see, everyone else so far on this list
> >> disagrees with you.
> >
> >
> > Only the people who have currently seen the discussion and decided
> > it was worth their time have posted to the list.
>
> Didn't you previously claim there are only like a handful of people on
> this list?
>
> >> Uhm, he has only permissions to upload the packages that he has
> >> been given permission to. Claiming that he would get root access
> >> running Debian if he gets dm-allow for soundmodem is a bit
> >> stretched, don't you think?
> >
> >
> > No. The package scripts run with root permissions. There is
> > nothing stopping a malicious script from being uploaded as part of
> > a package. Debian provides little in the way of safeguards against
> > this other than the developer community.
>
> Ever heard of reproducible builds?
>
A person with the ability to upload the package can introduce a package
with a malicious maintainer script. Such a script will be included in
any debian build from the debian source package.
Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJVSl+EAAoJEBmyZ4AhAzKfiJYQAIkHxUaAeOEgGAF1ffg0CK5r
TCaUshUTej+p9t2CGPD9NQFWYcYzYMW86J4yEokgFpYhYP7fw+V/OsXLefwoKam1
Wp9T+iD9pum1N36sJik0Kn+/j+KKk72yxMWbvIBaJeOBSYe6cLg/btArPzoasWYw
Ak9rgctbzPpHJ0JBTjChYq/nNZKMUsCRnM926t7y1WQez8f69bs+dgatK8wJ4UDR
WhSRZxWl8/D2ztvQ8y31m9PzulGxMJQdkVDp4eERf776BrW/8Fv+UkN0bR4mppS5
oPEcgH4nMmORF+6YmUH9NvjsiogIVOhxVVaKFzKjJ+n8lGmMr5zC0zDQdpbHZf9o
IHVxlrwMxuI+a6SubydhHgrRIYwoBRuEEULKeOAlviXEVH9Y+Hd2+3ilmfBoo35Q
VAspqK8cIDwA4VhoLnasrcRLTmQseuvhhhAQ7JKIav0irKCVZlRJoqwpjbS6MjDw
Qr8/M12TfQmDUo11joVzoSsQ/FVDs7tTXv/s2gS78WclSA/1qhOxmUdN0F7pimfy
8c8OW81sWWeCUlyEpBxcsvKxoruSBzTTJNTaNpBX2nrgXCu163w+XEu2IXBvA7NJ
2aVkvgtPfgD/CV6AzjNBRau+fY84ojsdzU82vJXcFeCfxiLZ+fCuBbZ1GoJmp3Fv
M+QEtw91rmVseYXfgGi2
=gEPZ
-----END PGP SIGNATURE-----
Reply to: