[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developers vs Uploaders



On Wednesday 14 March 2007, Bastian Venthur wrote:
> Anthony Towns schrieb:
> > My theory is that we should do something like this:
> >
> >      1) create a class of contributors called "debian maintainers"

> My first thought: do we really need this new class of contributors? I
> mean how many people do you currently know fitting in this category
> (don't like to become DD just maintainers). I guess there will be some,

Well me for one:

I've been actively involved with Debian for years (as a translator since 
march 2003, and as non-DD maintainer of 1 simple package since may 2005).

Despite having been involved for years I still haven't bothered to go 
through the whole NM-process, and that's not because I think I can't pass 
it, but simply because I'm not looking forward to starting a long, 
drawn-out process (average time to complete NM is what? 6 months to a 
year?)



As to why being able to upload my 1 package and only my one package would be 
a positive thing, consider the following:

Several times now my sponsor was travelling, just plain busy or otherwise 
unavailable (I think the worst such delay was about a month), that's not 
worldshocking but it does increase turnaround. 

Also not being able to upload directly I tend to pool non-critical uploads 
more then I otherwise would  (for instance I won't bug my sponsor with a 
package update containing just 1 new debconf translation), again leading to 
turnaround being slower.

-> is this critical? No, if I had a critical bug and my sponsor is
   unavailable I could probably find some DD willing to upload quickly
   enough 
-> is this suboptimal? IMHO definately

> My second thought: Should we really allow anonymous people to upload
> packages? Shouldn't they at least prove that they are who they claim to
> be (via gpg-key singed by an existing DD)?

This proposal has effects on 2 kinds of contributors:
1) long-time proven non-DD maintainers (for some definition of long-time
   and proven)
	-> they get a more effective workflow
2) the DD's sponsoring the upload of those maintainers
	-> they get to reduce their workload

so IMO we're not talking about 'anonymous people' at all.

As for the 'having a signed gpg-key', I don't see any problem having that as 
a requirement, anyone who's been actively involved with Debian for a while 
is unlikely not to meet this anyway. 

> Who is responsible if a maintainer uploads malware, the one who
> recommended him? Can we really expect those DDs to take full
> responsibility if they aren't forced to check every package like they
> currently have to do when sponsoring?

Currently you often have a situation where a particular DD has been 
sponsoring uploads for a particular package by a particular 
non-DD-maintainer for a long time.

My guess is that in most such cases sufficient trust will have built that 
the DD will mostly upload the update after a cursory glance (especially if 
he's otherwise busy). This is basic human nature and so probably pointless 
to fight against.

> What is our current NM-process for? Especially all those tests you have
> to go through. Is it just for the right to vote and the access to our
> machines?

Being a full DD grants AFAIK the following:
- voting rights 
- access to debian machines
- access to debian-private
- being able to NMU any package
- being able to introduce new packages without having to find a sponsor
- debian email adres
- (I also seem to recall something about subcriptions to... was it lwn?)

that's a lot broader then "being able to upload new versions of a particular 
package"
-- 
Cheers, cobaco (aka Bart Cornelis)

Attachment: pgpdLxDdxwSda.pgp
Description: PGP signature


Reply to: