On Wed, Mar 14, 2007 at 08:50:06PM +0100, Bastian Venthur wrote: > My first thought: do we really need this new class of contributors? I > mean how many people do you currently know fitting in this category > (don't like to become DD just maintainers). It's not "don't want to be a DD", it's "aren't a DD, but are still able to be trusted to some extent". For example, we've got around 2000 unique maintainers these days [0], which is about twice the number of DDs we have... > My second thought: Should we really allow anonymous people to upload > packages? Shouldn't they at least prove that they are who they claim to > be (via gpg-key singed by an existing DD)? Yes, definitely. (That's mentioned in some of the references in my earlier email) > Who is responsible if a maintainer uploads malware, the one who > recommended him? The maintainer who uploads it is responsible. The one who recommended him is responsible for recommending someone who uploaded malware. Both those would likely be treated differently if it was repeated or deliberate compared to rare or accidental, of course. If we decide it's worth more than a warning in either case, we'd respond by removing the maintainer's ability to upload or stop accepting recommendations from the developer, respectively. > Oh, and will there be a vote about this issue or is it still in the > discussion-phase or is it already decided? If discussion wasn't worthwhile, I wouldn't have posted... Cheers, aj [0] projectb=> select count(name) from maintainer where name not like '%lists%'; count ------- 2056 (1 row)
Attachment:
signature.asc
Description: Digital signature