Re: Reforming the NM process

[Manoj Srivastava <srivasta@debian.org>]

On 15 Apr 2006, Raphael Hertzog uttered the following:

> On Sat, 15 Apr 2006, Manoj Srivastava wrote:
>>> We'll never tell that! We just tell "we trust you to maintain <x>
>>> according to our standards but since you didn't went (yet) through
>>> full NM, we don't trust you on working on anything you'd want".
>>
>> Err, I am not sure we do say that.  Seems to me that the fact
>
> Well, we would tell that if we implemented the idea of aj to give
> limited upload rights to some people. (My sentence was implicitely
> conditional)
>
>> the packages need be checked by a sponsor means we say we are not
>> quite sure you can package things to our standards yet, but we
>> applaud that you are trying to learn, so here is an experienced
>> person to help to reach that level of skill.
>
> Yeah but after 3-4 uploads a new package has usually reached a level
> of quality where the sponsorship doesn't bring mean much more and is
> more of a burden than a really useful check.

        Umm, any new upstream still requires things to be checked. For
 libraries, you need to know if you need a new soname, or if the shlib
 version needs to be bumped.  You need to check th diff for any
 malware.

        Essentially, currently you need to be performing your duties
 as a sponsor -- validating the projects trust in whether or not you
 are checking to see if the code allowed into the archive is kosher.

        The person who created the code has not passed the checks
 that the project in place, right now, to establish trust.  Either we
 change the trust granting process (with proper
 demonstration/arguments that the new process shall not raise the
 risks to the  project), or we follow the process currently in place.

> So what else (apart from the work of creating the package) do we
> want from the maintainer before we grant him upload rights limited
> to the package he created / took over?

        We want some indication we know who the maintainer is, a feel
 for whether they agree with out principles, and a feel for level of
 commitment, and some level of comfort that they are not going to
 deliberately sabotage the project, and that they have demonstrated
 enough familiarity with the packaging process that the likelihood of
 an inadvertent compromise is reduced (hey, everyone makes mistake,
 and bugs happen, even critical ones, but more mistakes are made by
 novices new to a task than one familiar with it)

>> not sure if this discussion is going anywhere
>
> Me neither ... the interesting thing to discuss is what we want to
> check before we grant those limited rights and not what we're
> discussing right now. Bernhard seems to ignore the problems of the
> NM system that are acknowledged by almost everybody.

        See above.  I would be interested to see how the minimal
 requirements of allowing unmonitored uploads can be met without
 resulting in something that looks like NM.

        manoj
-- 
One is not noble if one harms other living creatures. It is by non
violence to all forms of life that one is called noble. 270
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C