On Sat, Mar 14, 2009 at 09:56:20PM -0700, Richard Hecker wrote: > Frans Pop wrote: >> On Saturday 14 March 2009, Matthew Johnson wrote: >> >>> Being part of the project, particularly with upload rights, is >>> something I believe _should_ be difficult. This restriction on access >>> to the archive is one of our strengths, it gives us a higher quality of >>> packaging (yes, there are exceptions, but they should be the exception, >>> not the rule) than would otherwise be possible. >>> >> >> The effort needed to go through the NM procedure also has an IMO import >> security aspect: it's quite unlikely that a "black hat" would be >> willing to make that effort to get in a position where (s)he could >> introduce trojaned packages into the archive. >> >> > I see things differently. A true "black hat" would be willing to go > through the trouble. We may have a false sense of security here > that basically applies to 'script kiddies.' When I dealt with my > colleagues 20 years ago, computer skills were rare and hard > to acquire. Just knowing they worked in the industry allowed > certain assumptions to be made. Now we have the /AOL > effect to deal with (everyone thinks they are an expert ;-). > > We can wash out the 'script kiddies' and /AOL group by making > the NM process difficult. To identify talented developers and > provide security is an entirely different matter. Some of the > seasoned professionals I have worked with will resent the hoops > we ask them to jump through. They have enough worthwhile > projects they would like to spend their time on. > > This is a good discussion to have. While we want the process to > wash out certain undesirable elements, we do not want to annoy > those who are qualified by wasting their time. We may have > conflicting goals here. It would probably be a good idea to identify > the assumptions we are starting with. To be honest, this seems to me to be where the Ubuntu Membership Process seems to beat the Debian one. While Debian does a good job of getting rid of those people who don't really know what they're doing, and could potentially harm the project, it also has the potential to dissaude some people who would be great to have in the Debian Project, and have already proven themselves elsewhere. For example, if a DD who had been in the Debian Project for a long time decided that they wanted to become part of the Ubuntu Project, then they could probably apply directly to the tech boar, who would review their application, see that they have the neccesary skills (as proven by their debian participation) and "hand wave" them through the process. Ubuntu has many different paths to get membership, and membership in ubuntu isn't really the same as in Debian, it doesn't mean that they have upload rights, just means that they are "officially affilliated" with the project. Upload rights are done through a different manner. Generally, people are mentored through working with different packages by the current "MOTU" team, who, once they have seen a long term, high quality set of contributions to the project, will encourage the person to go through the MOTU application process, where the Ubuntu Technical Board (or possibly the MOTU council nowadays, Ubuntu's Govenance seems to have been branched off in a lot of directions since I last had to go through any govenance process) review the work, and make a decision as to whether the person should be allowed upload rights. This then gives them upload rights to "universe", and if they wish, the person can then go on and do pretty much the same thing to get into the core-dev team. It does, however, give the ability for someone to go straight through into core-dev, if they have proven work somewhere else (say, Debian for example). My suggestion to add to the NM process would be something along similar lines. We currently have a NM council, Front Desk, etc etc. I would think that it would be nice if we could add in a process where someone could get "hand waved" through NM based on a majority vote from an approved set of people (say FD, NM team, or something similar) Battery's running out on my laptop, so I'll stop writing here, but I think I've covered the main point of what I wanted to say. -- Regards, Martin "Mez" Meredith
Attachment:
signature.asc
Description: Digital signature