Re: Non-DDs as official Debian package maintainers
* Jonas Smedegaard:
> In a comment to a thread in d-private that I am not allowed to publish,
> I wrote regarding packages with non-DDs in the maintainer field:
>> I wholeheartedly want help also from non-DDs, I just see a problem
>> relying on someone that we by definition do not (yet) trust.
Just because you encourage someone to provide input, you do not
automatically follow any of his advice, trusting him completely.
With respect to security updates, we have basically three choices: no
action because the sponsoree is not trusted, and no DD comes to the
rescue; some DD steps up and fixes the package, without help from
someone who is familiar with it (which may or may not lead to a
working package with a proper fix); or a DD discusses the issue with
the sponsoree and they come up with a solution together (whose
security aspect is again reviewed by the appropriate security team).
In the latter case, I would prefer if the DD were the sponsor, hence
my desire to base security support primarily on DDs, and only on
sponsored maintainers if absolutely necessary. However, I understand
that this approach could be luxury we cannot afford.