[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developers vs Uploaders

On Wed, 14 Mar 2007, Bastian Venthur wrote:
> My first thought: do we really need this new class of contributors? I


> mean how many people do you currently know fitting in this category
> (don't like to become DD just maintainers).

I know 2-3 of them already. And because we make it possible, it might
encourage other to contribute with limited time investment.

> I guess there will be some, but I think the amount of people should be
> high enough to legitimate such a big change in our infrastructure.

The changes are done already. 

> My second thought: Should we really allow anonymous people to upload
> packages? Shouldn't they at least prove that they are who they claim to
> be (via gpg-key singed by an existing DD)?

Ack, the key of the maintainer should be signed by a DD at least or have a
trusted path.

> Who is responsible if a maintainer uploads malware, the one who
> recommended him? Can we really expect those DDs to take full
> responsibility if they aren't forced to check every package like they
> currently have to do when sponsoring?

The maintainer is responsible, if he does stupid stuff, we revoke his
upload rights and that's it. We don't add completely random people in this
keyring, but people with whom we have created trust and good relationship
already: they get maintainers rights only after several rounds of positive

> What is our current NM-process for? Especially all those tests you have
> to go through. Is it just for the right to vote and the access to our
> machines?

It's for the right to change anything in the archive: the power to NMU.

> Oh, and will there be a vote about this issue or is it still in the
> discussion-phase or is it already decided?

Why should we vote on this ? We never vote on new infrastructure, we
didn't vote when we created the NM process or the sponsorship.

Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :

Reply to: