Frans Pop wrote:
On Saturday 14 March 2009, Matthew Johnson wrote:Being part of the project, particularly with upload rights, is something I believe _should_ be difficult. This restriction on access to the archive is one of our strengths, it gives us a higher quality of packaging (yes, there are exceptions, but they should be the exception, not the rule) than would otherwise be possible.The effort needed to go through the NM procedure also has an IMO import security aspect: it's quite unlikely that a "black hat" would be willing to make that effort to get in a position where (s)he could introduce trojaned packages into the archive.
I see things differently. A true "black hat" would be willing to go through the trouble. We may have a false sense of security here that basically applies to 'script kiddies.' When I dealt with my colleagues 20 years ago, computer skills were rare and hard to acquire. Just knowing they worked in the industry allowed certain assumptions to be made. Now we have the /AOL effect to deal with (everyone thinks they are an expert ;-). We can wash out the 'script kiddies' and /AOL group by making the NM process difficult. To identify talented developers and provide security is an entirely different matter. Some of the seasoned professionals I have worked with will resent the hoops we ask them to jump through. They have enough worthwhile projects they would like to spend their time on. This is a good discussion to have. While we want the process to wash out certain undesirable elements, we do not want to annoy those who are qualified by wasting their time. We may have conflicting goals here. It would probably be a good idea to identify the assumptions we are starting with. Richard