On Wednesday 14 March 2007, Bastian Venthur wrote: > Anthony Towns schrieb: > > My theory is that we should do something like this: > > > > 1) create a class of contributors called "debian maintainers" > My first thought: do we really need this new class of contributors? I > mean how many people do you currently know fitting in this category > (don't like to become DD just maintainers). I guess there will be some, Well me for one: I've been actively involved with Debian for years (as a translator since march 2003, and as non-DD maintainer of 1 simple package since may 2005). Despite having been involved for years I still haven't bothered to go through the whole NM-process, and that's not because I think I can't pass it, but simply because I'm not looking forward to starting a long, drawn-out process (average time to complete NM is what? 6 months to a year?) As to why being able to upload my 1 package and only my one package would be a positive thing, consider the following: Several times now my sponsor was travelling, just plain busy or otherwise unavailable (I think the worst such delay was about a month), that's not worldshocking but it does increase turnaround. Also not being able to upload directly I tend to pool non-critical uploads more then I otherwise would (for instance I won't bug my sponsor with a package update containing just 1 new debconf translation), again leading to turnaround being slower. -> is this critical? No, if I had a critical bug and my sponsor is unavailable I could probably find some DD willing to upload quickly enough -> is this suboptimal? IMHO definately > My second thought: Should we really allow anonymous people to upload > packages? Shouldn't they at least prove that they are who they claim to > be (via gpg-key singed by an existing DD)? This proposal has effects on 2 kinds of contributors: 1) long-time proven non-DD maintainers (for some definition of long-time and proven) -> they get a more effective workflow 2) the DD's sponsoring the upload of those maintainers -> they get to reduce their workload so IMO we're not talking about 'anonymous people' at all. As for the 'having a signed gpg-key', I don't see any problem having that as a requirement, anyone who's been actively involved with Debian for a while is unlikely not to meet this anyway. > Who is responsible if a maintainer uploads malware, the one who > recommended him? Can we really expect those DDs to take full > responsibility if they aren't forced to check every package like they > currently have to do when sponsoring? Currently you often have a situation where a particular DD has been sponsoring uploads for a particular package by a particular non-DD-maintainer for a long time. My guess is that in most such cases sufficient trust will have built that the DD will mostly upload the update after a cursory glance (especially if he's otherwise busy). This is basic human nature and so probably pointless to fight against. > What is our current NM-process for? Especially all those tests you have > to go through. Is it just for the right to vote and the access to our > machines? Being a full DD grants AFAIK the following: - voting rights - access to debian machines - access to debian-private - being able to NMU any package - being able to introduce new packages without having to find a sponsor - debian email adres - (I also seem to recall something about subcriptions to... was it lwn?) that's a lot broader then "being able to upload new versions of a particular package" -- Cheers, cobaco (aka Bart Cornelis)
Attachment:
pgpFruUpsXAV8.pgp
Description: PGP signature