Re: The Debian Maintainers GR

[Steve Langasek <vorlon@debian.org>]

On Thu, Aug 02, 2007 at 08:12:09AM +0200, Bart Martens wrote:

> On Thu, 2007-08-02 at 14:38 +1000, Anthony Towns wrote:
> > At present, how do you find packages that have been packaged by non-DDs
> > and uploaded with the minimal checks by a DD in order to review them,
> > or just get a sense of how common it is?

> The non-DD packager is identified by the "Maintainer:" field, and the
> sponsors is identified by the signature.

There are lots of packages that have sponsored uploads.  How do you tell
which ones have been uploaded *without substantive review by the sponsors*?

That's a more useful bit of information than just knowing who's being
sponsored.  There's no way to get that information with the present
sponsoring system, but with DM you would be able to clearly identify a set
of packages that have been uploaded without DD review.

In fact, they can be identified so clearly that it would probably be worth
setting up a mailing list to feed debdiffs to from DM sourceful uploads, so
people who wanted to keep an eye on the quality of the uploads could do so.

> > With DMs, you check for uploads signed by a key in the DM keyring.
> 
> With sponsors you can check for uploads signed by a key in the Debian
> Developers keyring.

WTF? *all* uploads to Debian are signed by a key in the Debian Developers
keyring.

> > there's a chain of trust to the actual uploads, 

> Introducing DM's uploading directly to unstable makes "the chain of
> trust to the actual uploads" less safe.

On the contrary, what it does is make the chain of trust *shorter* -- that's
a good thing, because it makes it easier to figure out who's responsible for
the contents of an upload.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/