[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Planned changes to Debian Maintainer uploads

gregor herrmann writes ("Re: Planned changes to Debian Maintainer uploads"):
> On Mon, 11 Jun 2012 18:29:46 -0400, Joey Hess wrote:
> > Ansgar Burchardt wrote:
> > >  - It applies to all DMs listed as Maintainer/Uploaders. It is not
> > >    possible to grant upload permission to only a specific DM.
> > Isn't that the point of listing a DM in the field? Why would you want to
> > list someone as a Maintainer and not allow them to upload a package?
> In a packaging team, Uploaders: can contain several people working on
> a package; with DMUA:yes all of them who are DMs can upload it even
> if some became DMs for totally unrelated packages originally.

Surely this can be handled by social rather than technical controls.
Not every bad behaviour needs to be prevented by specific access

> More elaborate:
> http://lists.debian.org/debian-perl/2007/11/msg00075.html

To quote your example:

  Imagine package $P now has as Uploaders: $A and $B (non-DDs). $A gets
  DM status. I am pretty confident that $A is capable of maintaining $P,
  so on $A's request, I upload $P with DM: yes. $A is happy and so am I.

  Next month, $B, who also maintains non-pkg-perl package $Q, gets DM
  status because his sponsor is tired of uploading $Q and is pretty
  confident that $B can handle $Q appropriately.

  Bang! $B can upload $P too. I gave $B this right, *unintentionaly*.

This is very easy to deal with.  You can simply tell $B, when you add
them to Uploaders, that regardless of whether they are a DM they are
not to upload $P themselves without following whatever approval
process the pkg-perl team have decided on.

Mentioning someone in Uploaders doesn't mean "you are entitled to do
everything you can".  It means "you are trusted to follow the
conventions and processes for the maintenance of this package".

Or to put it another way: supposing $B came to me as a sponsor with a
proposed upload for $P.  Since $B was in Uploaders I would do pretty
minimal sanity checks on the package; I probably wouldn't even ask $B
to confirm that they were expected to prepare uploads for $P.  From
the point of view of the other members of the team maintaining $P
there is very little difference between $B doing the upload
themselves, and them getting me to rubber-stamp it.


Reply to: