On Wed, Mar 14, 2007 at 08:50:06PM +0100, Bastian Venthur wrote:
> My first thought: do we really need this new class of contributors? I
> mean how many people do you currently know fitting in this category
> (don't like to become DD just maintainers).
It's not "don't want to be a DD", it's "aren't a DD, but are still
able to be trusted to some extent". For example, we've got around 2000
unique maintainers these days [0], which is about twice the number of
DDs we have...
> My second thought: Should we really allow anonymous people to upload
> packages? Shouldn't they at least prove that they are who they claim to
> be (via gpg-key singed by an existing DD)?
Yes, definitely. (That's mentioned in some of the references in my earlier
email)
> Who is responsible if a maintainer uploads malware, the one who
> recommended him?
The maintainer who uploads it is responsible. The one who recommended
him is responsible for recommending someone who uploaded malware. Both
those would likely be treated differently if it was repeated or deliberate
compared to rare or accidental, of course.
If we decide it's worth more than a warning in either case, we'd respond by
removing the maintainer's ability to upload or stop accepting recommendations
from the developer, respectively.
> Oh, and will there be a vote about this issue or is it still in the
> discussion-phase or is it already decided?
If discussion wasn't worthwhile, I wouldn't have posted...
Cheers,
aj
[0] projectb=> select count(name) from maintainer where name not like '%lists%';
count
-------
2056
(1 row)
Attachment:
signature.asc
Description: Digital signature