Re: package ownership in Debian

To: debian-project@lists.debian.org
Subject: Re: package ownership in Debian
From: Martin Schulze <joey@infodrom.org>
Date: Sat, 29 Jul 2006 19:28:29 +0200
Message-id: <[🔎] 20060729172829.GD1655@finlandia.home.infodrom.org>
In-reply-to: <[🔎] 200607291902.20062.danchev@spnet.net>
References: <20060728152321.GA5992@steve.org.uk> <[🔎] 87psfpb34z.fsf@glaurung.internal.golden-gryphon.com> <[🔎] 20060729064816.GU1655@finlandia.home.infodrom.org> <[🔎] 200607291902.20062.danchev@spnet.net>

George Danchev wrote:
> On Saturday 29 July 2006 09:48, Martin Schulze wrote:
> > Manoj Srivastava wrote:
> > > > Co-maintainers are much closer to what is being done in a package
> > > > than joe-random developer.  Also, co-maintainership is far less
> > > > prone to fire-and-forget uploads that hose things, and are nicer to
> > > > people who feel very strongly about their packages.
> > >
> > >         Co-maintainerships require communication, and ability and
> > >  desire to share decisions, can result in  a culture of "it is someone
> > >  elses problem (neat aphorism in german, I believe)", and if the team
> > >  does not trust one of the members, then things can turn ugly.
> >
> > There's a nother problem with team maintained packages.  The Security
> > Team has to work on packages that are team-maintained in sid every
> > once in a while.  Often we want to get in touch with the maintainer
> > privately before disclosure or before releasing the advisory.
> >
> > With team-maintained packages, the maintainer address often points to
> > a mailing list, so we can't talk to them.  Even worse are packages
> > in whose changelog the entries aren't signed by a real person but
> > by a list address as well.  That's some sort of anonymous maintenance.
> >
> > For such packages the Securtity Team has problems reaching a person
> > to talk to them in time so that we can discuss fixes and prepare
> > updates.
> >
> > The last example I remember is not old and it demonstrated another
> > problem.  We contacted the list address but only got a response after
> > we've opened a bug report when released the advisory without any
> > maintainer response.  I'm not exactly sure team-maintenance really
> > helps here...
> 
> Good point. If a mailing list is listed in Maintainer:, then I see adding all 
> package co-maintainers to the Uploaders: field, as a possible resolution. Hm, 
> some of these co-maintainers might in fact be non-DD's, but I don't see any 
> problems for the security team to talk to such parties when dealing with the 
> situation described above. Or am I badly wrong about that ?

It's not too relevant whether the maintainer is a DD or is not yet.
Only when we would like to keep things under a blanket for a while,
we'd really like the issue not to be leaked before their official
disclosure.

Regards,

	Joey

-- 
MIME - broken solution for a broken design.  -- Ralf Baechle

Reply to:

References:
- Re: package ownership in Debian
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: package ownership in Debian
  - From: Martin Schulze <joey@infodrom.org>
- Re: package ownership in Debian
  - From: George Danchev <danchev@spnet.net>

Prev by Date: Re: Extremadura Regional Government of Spain will switch to Debian GNU/Linux and ODF on all the computers
Next by Date: Re: Why does Ubuntu have all the ideas?
Previous by thread: Re: package ownership in Debian
Next by thread: Re: package ownership in Debian
Index(es):
- Date
- Thread