Non-DDs as official Debian package maintainers

[Jonas Smedegaard <dr@jones.dk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In a comment to a thread in d-private that I am not allowed to publish,
I wrote regarding packages with non-DDs in the maintainer field:

> I wholeheartedly want help also from non-DDs, I just see a problem
> relying on someone that we by definition do not (yet) trust.


On Wed, 21 Sep 2005 16:36:35 +0200
Gerfried Fuchs <alfie@ist.org> wrote:

> * Jonas Smedegaard <dr@jones.dk> [2005-09-21 15:00]:
> > On Wed, 21 Sep 2005 13:16:12 +0200 Gerfried Fuchs <alfie@ist.org>
> > wrote:
> >>  I see a problem relying on quite someone that we by definition
> >> _do_ trust yet.
> > 
> > I honestly do not understand you.
> > 
> > You do not rely on Debian?
> 
>  Oh, I do rely on Debian. But not neccessarily more on DDs than
> non-DDs, which this is all about. Just because someone managed to get
> a @d.o address doesn't make him per definition more trustworthy to me.
> Especially not if that was done way before the current NM process, or
> even then just ages ago. People aren't more relyable just because they
> are DDs. People are people, that the are DDs only means that they were
> relyable enough over a certain period in time to convince their NM
> team. Appart from that...
> 
>  There were two people I did AM for, one is more or less MIA, the
> other one has resigned if I'm not completely mistaken. Things like
> that happen, and I can't follow your reasoning.

MIA is one thing (read the developers reference about that[1]). Another
is the chance of a package "drifting": Non-DDs sponsored by different
DDs for each upload.

Yesterday I wanted to backport nvu to sarge. I was surprised to
discover that the tarball of nvu 1.0 instead contained 1.0RC - a
release candidate for 1.0. I checked the BTS[3] for bugs already on this
- - or on some of the many user-visible issues fixed in the latest
upstream release - and found in one of the bugreports for the package
the comment "i'm searching for a sponsor for the new revision."

Probably (but I don't know) the non-DD is not to blame here: I want the
uploader to take responsibility for having the software part of Debian.
Sponsoring an upload but not the next is not taking responsibility IMHO.


Debian is a social structure. If I behave badly then the "punishment"
is not so much that I get kicked from Debian (have we ever really done
that?) but that my friends in this community laugh, shout or ignore me.

Outsiders don't have same risk of social "punishment" - and maybe just
as important: we don't have the same possibility of getting out our
frustrations. Or more constructive: we don't have same possibility of
getting to the core of a problem to understand and learn from it. Not
so much because non-DDs go MIA, but because the channels are weaker
(the non-DD cannot hang out in our private club d-private) and the
interest in staying friends is perhaps also weaker (chances are higher
that a not-yet-DD loses interest in the staying with the project due
to a verbal fight than a DD who has the community to loose if leaving).


> > The recently proposed requirements of releasable archs includes that
> > all packages must be build by DDs - does that not imply that we rely
> > more on those given trust by becoming members of Debian than other
> > participants in our community?
> 
>  a.) proposed. b.) it should imply it, though reality tells me
> differently.

Sorry, I don't understand you. Maybe I express myself clumsily in the
first place, so let me try again:

http://release.debian.org/etch_arch_criteria.html says that "all
binary packages need to be built by Debian developers" (and notes that
there should really be nothing new in this).

Do you agree with my interpretation of the sentence that Debian puts
more trust in Debian developers than non-Debian developers?

Do you agree with the text or would you rather it was removed?


> > Don't get me wrong: I do want more members of Debian. But I like
> > some degree of "quality assurance" for those marked as package
> > maintainers.
> 
>  Don't get me wrong: I don't distrust every Debian member. But I don't
> think that the NM process is a "quality assurance" that I would built
> trust on.

What _would_ you build trust on?

As I understand it Debian bases its trust on people in the Debian
keyring. and that people only get into the Debian keyring either by
proving some basic technical skills and basic knowledge of our
shared ideology, or by having being part of the project since the
days when such formal access bar was not needed[2].



Here's what I want (if anyone is interested - so far I have only
experied hostility when I offer my weird non-sponsoring help to
outsiders wanting packages into Debian):

A requirement that the Maintainer field always either matches an entry
in the Debian keyring or the email ends in "@debian.org" (so that
group-maintained packages at Alioth - where at least one in each group
must be a DD - is also allowed).

A requirement that latest changelog entry must match the person signing
the package for upload to the archive.

"Uh, but then the non-DD can't prove the skills of packaging for the
NM-process," I hear you say. No - just have the non-DD write separate
changelog entries so that it is obvious what parts of the work you did
and the non-DD did. You should do that anyway!

See the changelog of yaird for a good example. Erik van Konijnenburg is
the master of the packaging - I have a really hard time finding flaws
in his work - but still I take the responsibility of being the official
link between Debian and the software, because I am a DD and Erik is not.


>  So long,
> Alfie [still quoteable outside private]

great. Will do that (and sorry that I forgot to state similarly in my
last couple of posts on d-private.


 - Jonas

[1]
http://www.debian.org/doc/developers-reference/ch-beyond-pkging.en.html#s-mia-qa

[2] I imagine that in the old days the smaller community  could more
easily spot social problems when they appear. But that is history. I
am more interested in discussing the situation now.

[3] But I must admit I have not yet filed a bugreport about this. The
package is stock in unstable anyway due to general security concerns
(bug#306822), and when someone gets around to look at the source they
will no doubt discover this anyway...

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

 - Enden er nær: http://www.shibumi.org/eoti.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDMZp/n7DbMsAkQLgRAgkIAJwMPNW+iB5pFxOxvMTBu8PEcQicdwCfdG+5
Fm2/rK1rYT0Bz2nJAYRfI0g=
=7PoS
-----END PGP SIGNATURE-----