[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developers vs Uploaders

On Thu, 15 Mar 2007 14:32:24 -0400, Joey Hess <joeyh@debian.org> said: 

> Yes, and there are various ways to accomplish this, not merely
> one. For example, some DDs decide they can trust an upstream, and do
> not review every line of code in a new upstream release, while
> others do not.

> You can generally tell the difference; DDs who review every line
> from upstream tend to maintain fewer packages and take longer to get
> new upstream releases packaged. They also occasionally spot
> problems, although if you look at other code review processes, such
> as debian-release's reviews to accept changes to frozen sofware, it
> might be fair to say that such reviews tend to miss about as many
> problems as they catch, and that even the most dedicated reviewers
> have to give up on meaningful review of certian packages. It's also
> interesting to compare the number of security holes such maintainers
> find via their reviews of new versions of their packages with the
> number of security holes others manage to find by targeted grepping
> of the whole archive.

        The implication, unless I am misreading things here, is that
 code reviews and inspection of upstream changes are ineffectual.
 Given that reviewing code for security is a labour intensive process,
 the inference is that it is not worth doing proactive inspections of
 code for potential problems, and it is better to work on other
 aspects of the project.

        I find that a startling conclusion, and I am wondering if I
 misunderstood, or should we really open the floodgates to uninspected
 code, on the grounds that inspections buy us little, if anything?

The worst is not so long as we can say "This is the worst." King Lear
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: