[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developers vs Uploaders

Kevin Mark wrote:
> > The question is, is there a way we can minimize the overhead of integrating
> > contributions from folks who aren't (yet) DDs?  Given what I see and hear
> > from various sponsors, the review of sponsored uploads is already a joke;
>                                                                     ^^^^^^^
> > various sponsors already trust their sponsorees implicitly, so if there's
> > already no real review happening, are we better off dispensing with the
> > illusion?
> The assumtion about a DD is that they can be trusted to upload with only
> a neglible risk to the archive.

Yes, and there are various ways to accomplish this, not merely one. For
example, some DDs decide they can trust an upstream, and do not review
every line of code in a new upstream release, while others do not. 

You can generally tell the difference; DDs who review every line from
upstream tend to maintain fewer packages and take longer to get new
upstream releases packaged. They also occasionally spot problems,
although if you look at other code review processes, such as
debian-release's reviews to accept changes to frozen sofware, it might
be fair to say that such reviews tend to miss about as many problems as
they catch, and that even the most dedicated reviewers have to give up
on meaningful review of certian packages. It's also interesting to
compare the number of security holes such maintainers find via their
reviews of new versions of their packages with the number of security
holes others manage to find by targeted grepping of the whole archive.

Similarly, some DDs (myself included), eventually decide they can trust
a sponsee, and do not review every line of their patches.

> You assert that there is not enough certainty about sponsored uploads
> because of the unknown or inconsistent quality of sponsor's reviews.

I don't believe that's what he's saying.

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: