Re: package ownership in Debian
Manoj Srivastava wrote:
> > Co-maintainers are much closer to what is being done in a package
> > than joe-random developer. Also, co-maintainership is far less
> > prone to fire-and-forget uploads that hose things, and are nicer to
> > people who feel very strongly about their packages.
>
> Co-maintainerships require communication, and ability and
> desire to share decisions, can result in a culture of "it is someone
> elses problem (neat aphorism in german, I believe)", and if the team
> does not trust one of the members, then things can turn ugly.
There's a nother problem with team maintained packages. The Security
Team has to work on packages that are team-maintained in sid every
once in a while. Often we want to get in touch with the maintainer
privately before disclosure or before releasing the advisory.
With team-maintained packages, the maintainer address often points to
a mailing list, so we can't talk to them. Even worse are packages
in whose changelog the entries aren't signed by a real person but
by a list address as well. That's some sort of anonymous maintenance.
For such packages the Securtity Team has problems reaching a person
to talk to them in time so that we can discuss fixes and prepare
updates.
The last example I remember is not old and it demonstrated another
problem. We contacted the list address but only got a response after
we've opened a bug report when released the advisory without any
maintainer response. I'm not exactly sure team-maintenance really
helps here...
Regards,
Joey
--
MIME - broken solution for a broken design. -- Ralf Baechle
Reply to: