[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: package ownership in Debian

On Saturday 29 July 2006 09:48, Martin Schulze wrote:
> Manoj Srivastava wrote:
> > > Co-maintainers are much closer to what is being done in a package
> > > than joe-random developer.  Also, co-maintainership is far less
> > > prone to fire-and-forget uploads that hose things, and are nicer to
> > > people who feel very strongly about their packages.
> >
> >         Co-maintainerships require communication, and ability and
> >  desire to share decisions, can result in  a culture of "it is someone
> >  elses problem (neat aphorism in german, I believe)", and if the team
> >  does not trust one of the members, then things can turn ugly.
> There's a nother problem with team maintained packages.  The Security
> Team has to work on packages that are team-maintained in sid every
> once in a while.  Often we want to get in touch with the maintainer
> privately before disclosure or before releasing the advisory.
> With team-maintained packages, the maintainer address often points to
> a mailing list, so we can't talk to them.  Even worse are packages
> in whose changelog the entries aren't signed by a real person but
> by a list address as well.  That's some sort of anonymous maintenance.
> For such packages the Securtity Team has problems reaching a person
> to talk to them in time so that we can discuss fixes and prepare
> updates.
> The last example I remember is not old and it demonstrated another
> problem.  We contacted the list address but only got a response after
> we've opened a bug report when released the advisory without any
> maintainer response.  I'm not exactly sure team-maintenance really
> helps here...

Good point. If a mailing list is listed in Maintainer:, then I see adding all 
package co-maintainers to the Uploaders: field, as a possible resolution. Hm, 
some of these co-maintainers might in fact be non-DD's, but I don't see any 
problems for the security team to talk to such parties when dealing with the 
situation described above. Or am I badly wrong about that ?

pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>
fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB 

Reply to: