On Sat, Mar 14, 2009 at 04:25:21PM +0100, Frans Pop wrote: > On Saturday 14 March 2009, Micah Anderson wrote: > > All of this is just fun wingnut ramblings, but I think serves to > > illustrate that the artificial barrier imposed by the arduous NM > > process is not that significant of a difficulty for getting inside > > Debian and we cannot use this as mechanism for making Debian "secure". > Against a seriously determined and well-funded black hat? No, of course > not. I totally agree with that. Yes, and there are cheaper ways than getting the black hat to become a full DD: with a thousand of DDs we have a thousand possibly vulnerable points of entry. Frankly, if anyone wanted to attack Debian, they'd have to be remarkably silly to plan to do it through becoming a DD. ...back to the main thread: > But at the same time I do feel it is an effective barrier against the > thousands of "wouldn't it be fun if" black hat wannabes and even against > black hats who work without the benefit of a supporting organization. I completely agree with not making it too easy to enter Debian, purely from a point of view of Quality Assurance. It's as simple as saying that if someone isn't careful with what they do, they should not be given unsupervised upload rights: it's likely that they'd break things, and the cost of going and fixing someone's mess is usually higher than the cost of doing the thing right in the first place. Mistakes happen, but their probability should be kept low. However, we have had and do have several uncontroversially outstanding and very active people in need of an account, and they should be kicked *in*, and fast. As an AM I've seen a few, and inflicting a long NM process on them is a waste: their skills and passion are better employed in continuing their good work on Debian. Ultimately, it boils down to the AM's faculty of judgement. But if we change anything, whatever we devise ought to be a barrier for people who are not good (or not ready) and at the same time must not be in the way of people who have been and are doing good serious work. IOW, when you get in the way of poor contributions it's called quality assurance, but when you get in the way of good contributions it's called bureaucracy. It's extremely important to always keep the difference in mind. Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
Attachment:
signature.asc
Description: Digital signature