[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: package ownership in Debian

Manoj Srivastava wrote:
> > Co-maintainers are much closer to what is being done in a package
> > than joe-random developer.  Also, co-maintainership is far less
> > prone to fire-and-forget uploads that hose things, and are nicer to
> > people who feel very strongly about their packages.
>         Co-maintainerships require communication, and ability and
>  desire to share decisions, can result in  a culture of "it is someone
>  elses problem (neat aphorism in german, I believe)", and if the team
>  does not trust one of the members, then things can turn ugly.

There's a nother problem with team maintained packages.  The Security
Team has to work on packages that are team-maintained in sid every
once in a while.  Often we want to get in touch with the maintainer
privately before disclosure or before releasing the advisory.

With team-maintained packages, the maintainer address often points to
a mailing list, so we can't talk to them.  Even worse are packages
in whose changelog the entries aren't signed by a real person but
by a list address as well.  That's some sort of anonymous maintenance.

For such packages the Securtity Team has problems reaching a person
to talk to them in time so that we can discuss fixes and prepare

The last example I remember is not old and it demonstrated another
problem.  We contacted the list address but only got a response after
we've opened a bug report when released the advisory without any
maintainer response.  I'm not exactly sure team-maintenance really
helps here...



MIME - broken solution for a broken design.  -- Ralf Baechle

Reply to: