[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developers vs Uploaders


On Thu, 15 Mar 2007, Anthony Towns wrote:
> Over the past few weeks, after Joey Hess created the jetring keyring
> management tool from whole cloth [0], I've been poking at changing dak
> to support a "maintainers" keyring [1] so that we can make it possible for
> people who want to work on just one or two packages able to do exactly
> that. I think that's at a point that I'm happy with now, so ftpmaster
> now effectively has the ability to:
>     a) add a third keyring for people allowed to upload to the archive,
>        (in addition to debian-keyring.{gpg,pgp}) that contains keys for
>        "maintainers" and is managed separately to the developer keyring
>     b) restrict certain uploaders from sponsoring packages
>        (ie, giving signing a .changes file that claims to be made by
>        someone else) and from doing NMUs (ie, uploading a package that's
>        maintained by someone else and that they're not listed as an
>        Uploader for, or anything that needs NEW or BYHAND processing)

If the "Debian maintainer" uploads a package changing the
Maintainer/Uploaders field to his own name, what happens ?

IMO it should fail. They shouldn't have the right to mark themselves
as maintainers/uploaders from random packages. This operation must be done
by a DD.

Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :

Reply to: