Re: Reforming the NM process
On 15 Apr 2006, Raphael Hertzog uttered the following:
> On Sat, 15 Apr 2006, Manoj Srivastava wrote:
>>> We'll never tell that! We just tell "we trust you to maintain <x>
>>> according to our standards but since you didn't went (yet) through
>>> full NM, we don't trust you on working on anything you'd want".
>> Err, I am not sure we do say that. Seems to me that the fact
> Well, we would tell that if we implemented the idea of aj to give
> limited upload rights to some people. (My sentence was implicitely
>> the packages need be checked by a sponsor means we say we are not
>> quite sure you can package things to our standards yet, but we
>> applaud that you are trying to learn, so here is an experienced
>> person to help to reach that level of skill.
> Yeah but after 3-4 uploads a new package has usually reached a level
> of quality where the sponsorship doesn't bring mean much more and is
> more of a burden than a really useful check.
Umm, any new upstream still requires things to be checked. For
libraries, you need to know if you need a new soname, or if the shlib
version needs to be bumped. You need to check th diff for any
Essentially, currently you need to be performing your duties
as a sponsor -- validating the projects trust in whether or not you
are checking to see if the code allowed into the archive is kosher.
The person who created the code has not passed the checks
that the project in place, right now, to establish trust. Either we
change the trust granting process (with proper
demonstration/arguments that the new process shall not raise the
risks to the project), or we follow the process currently in place.
> So what else (apart from the work of creating the package) do we
> want from the maintainer before we grant him upload rights limited
> to the package he created / took over?
We want some indication we know who the maintainer is, a feel
for whether they agree with out principles, and a feel for level of
commitment, and some level of comfort that they are not going to
deliberately sabotage the project, and that they have demonstrated
enough familiarity with the packaging process that the likelihood of
an inadvertent compromise is reduced (hey, everyone makes mistake,
and bugs happen, even critical ones, but more mistakes are made by
novices new to a task than one familiar with it)
>> not sure if this discussion is going anywhere
> Me neither ... the interesting thing to discuss is what we want to
> check before we grant those limited rights and not what we're
> discussing right now. Bernhard seems to ignore the problems of the
> NM system that are acknowledged by almost everybody.
See above. I would be interested to see how the minimal
requirements of allowing unmonitored uploads can be met without
resulting in something that looks like NM.
One is not noble if one harms other living creatures. It is by non
violence to all forms of life that one is called noble. 270
Manoj Srivastava <firstname.lastname@example.org> <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C