[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Multi-person sponsorship



Matthew Palmer wrote:
> > package I sponsor. I want to know if they are not able to send me a
> > package that will build properly. I want to work with them and be
> 
> Since you only get packages for sponsorship which have built in a clean sid
> chroot out of my system, you can be fairly sure of that.

As you've described the system, it sounds like my sponsee could make
several iterations with bad unbuildable packages before it is ever made
aailable to me to look at. This is what I want to avoid; if they are not
competant to upload a buildable package the first time, I want to know
that.

> I'm interested in how many of your sponsees do you know are/aren't doing,
> say, QA work quietly, or working on d-i, or doing bug triage?  I know that
> at least one person I'm sponsoring isn't doing anything on anything else,
> because I used to work with him, but apart from that, the people whose
> packages I've sponsored could be working towards becoming DPL and I'd hardly
> know.  Should I know these things?  Do you think that a good sponsor should
> be doing these things, or that it's useful in the general case for a sponsor
> to know all of a sponsees other activities?

I use filtering and scoring to keep track of such things reasonably
well. Unless they're sending patches to maintainers via private email or
something, I am likely to see anything they do in debian.

> > Evenually, and most importantly, if they turn out to be doing a good
> > job, I want to get them into Debian as a proper DD, and that is why I
> > require the numerous bits of information I gather in passing while
> > sponsoring them, so I can know if I want to advocate them or not. 
> 
> If you don't mind me asking, what sort of information do you ask for from
> potential sponsees?  (Warning: your answer may become FAQ fodder <g>).  Info
> similar to what gets asked for in the "background" section of NM?

I don't ask a set series of questions, I simply get to know the person
by working with them, same as I'd get to know any other DD, and reach my
own conclusions from that.

> > (I'd also like to see AM's making more use of this information. If I've
> > advocated someone, I can tell you what parts of T&S they have already,
> > IMHO, passed.)
> 
> If you put that information into an advocacy report, does the AM ignore it,
> or are they not supposed to take other people's experiences into account? 
> (That seems odd, considering that some NMs get their AMs switched on them).

I didn't know we had avocacy reports, doesn't the current system only
let you enter their email address?

> > (I also hope that nobody roots your autobuilder.)
> 
> I'm not keen on ever providing the .debs that come out of the autobuilder. 

Beside the point. Inside the autobuilder, you are running possibly
untrusted code. It's only a local exploit away from running as root, at
which time it can easily break out of any chroot you have it in. If it's
in an UML jail it also has to exploit a hole in the linux kernel, but we
have no shortage of those. :-/

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature


Reply to: