Re: We have a problem

To: Patrick Ouellette <pouelle@debian.org>
Cc: Debian Hamradio Maintainers <debian-hams@lists.debian.org>
Subject: Re: We have a problem
From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Date: Wed, 6 May 2015 22:05:21 +0200
Message-id: <[🔎] 554A7401.8070807@physik.fu-berlin.de>
In-reply-to: <[🔎] 20150506183757.GN16858@flying-gecko.net>
References: <[🔎] 20150506132851.GA16858@flying-gecko.net> <[🔎] 20150506134227.GA7604@shiftout.net> <[🔎] 20150506142408.GB16858@flying-gecko.net> <[🔎] 554A3A6F.3020409@physik.fu-berlin.de> <[🔎] 20150506164946.GH16858@flying-gecko.net> <[🔎] 554A4CFC.3080902@physik.fu-berlin.de> <[🔎] 20150506180023.GK16858@flying-gecko.net> <[🔎] 554A5905.80604@physik.fu-berlin.de> <[🔎] 20150506183757.GN16858@flying-gecko.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/06/2015 08:37 PM, Patrick Ouellette wrote:
>> You. Were. Not. An. Uploader. Period.
> 
> 
> I was a person who accepted the responsibility to co-maintain the 
> package.

Again, that doesn't automatically turn you into an uploader or
maintainer. If you haven't done anything on a package recently, then
there is no point listing you as the maintainer.

It's handled the exact same thing everywhere in the open source
community. If you are listed as a maintainer of subsystem or driver in
the kernel, then you are supposed to be active and responsive.
Otherwise you are kindly asked to give the maintainership and leave it
to someone else.

>> Ever heard of reproducible builds?
> 
> 
> A person with the ability to upload the package can introduce a
> package with a malicious maintainer script.  Such a script will be
> included in any debian build from the debian source package.

Did you actually read what I wrote? I said, you can diff the scripts
at any time and check them for malicious code if you are paranoid
enough. The diff against the vanilla upstream package will be small
enough to catch any such changes, no matter if they are patched into
the upstream source or the maintainer scripts.

Really, we can spin this forever if you like.

Adrian

- -- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVSnQAAAoJEHQmOzf1tfkTCWsP/3tJEo2MaVgcqb6aazpR5Jof
QYyuii+FXlwXZXCXqvsjrZsiuGWd3DpqcnM7eAKzmkpd/kPDZl70wcidWppYQUbB
3otOJ9GLrkdLa+pb2M+CTkhJSdcBrTSv/4NkyBRRoObycjvabCCdYtAwr3hNysWk
5QnPFZC8asax7aiTNDOILPwxi3Ok4GXVyKMH+BR+obT9Lljc78U0Zy7ElZlnV9UC
uLD/qwU0WHQi71IYB8xFoixV+NScdeIT+zUKzZPXiy8juF3sRGk+9srvXFL5qeIn
CyFYWcZtsYefsUblk4fxFi09X1xgQUt+hNwuuRFZJwhzeMwExTmudbSsZ4uzPzXs
rAhhsrr3MllmIpuZFwWmo5PR4g0Lz1rCQP8429Ky9vrO1CYx+/DsaJ7MykpYdxwE
jt3VOHweNcwODsu4fTlFXn3Db7+Z3xMzTx24D4tPMmhNtPLXPKR16BIa23sbpPAh
zWacJZfb1YkSvyhz9yx4A83OaqMLaMOpWDx/Ep04oqhvJKppXgsrGDpWbwXlh2JL
BCrFMzD4v+P6nSCWW4RFlvKLZYLlHC1KR4iSEW8/LbLX5IAkKF6LvaYbO78f+cIW
nXTlJBlKTXGSQmOxEGStxMKZw/U7AG8VyBlgnB8aW/H6dn8rwXY4d043i96rOxsi
40FbLMVXrmESj6tZFA0n
=gRg1
-----END PGP SIGNATURE-----

Reply to:

References:
- We have a problem
  - From: Patrick Ouellette <pouelle@debian.org>
- Re: We have a problem
  - From: "Iain R. Learmonth" <irl@fsfe.org>
- Re: We have a problem
  - From: Patrick Ouellette <pouelle@debian.org>
- Re: We have a problem
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: We have a problem
  - From: Patrick Ouellette <pouelle@debian.org>
- Re: We have a problem
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: We have a problem
  - From: Patrick Ouellette <pouelle@debian.org>
- Re: We have a problem
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: We have a problem
  - From: Patrick Ouellette <pouelle@debian.org>

Prev by Date: Re: We have a problem
Next by Date: Re: We have a problem
Previous by thread: Re: We have a problem
Next by thread: Re: We have a problem
Index(es):
- Date
- Thread