[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questions for all candidates: decentralization of power

Le Wed, Mar 31, 2010 at 11:24:50PM -0400, Mike O'Connor a écrit :
> The issue I was talking about had nothing to do with software crossing
> state lines.  It had to do with violating license agreements.  I'm not
> familiar with any procedures we must do before exporting software that
> you are alluding to.

> If we were to do what it seems like you want (correct me if I'm wrong
> about what you'd want).  We'd have to either open up the ftp-master
> machine to all developers, which worries me from a security standpoint,
> or we'd have to be willing to distribute potentially non-redistributable
> software off the machine to developers, which would worry me from a
> legal standoint.

What I would like is at least read access of the NEW queue in the mirror of
ftp-master, and to my knowledge the last reason that was given to deny it is
the USA crypto export rules:


If it is not an export or a license violation that a member of the FTP team
inspects a package, then I do not think it is for any other member of the
project. I am not proposing to give a read access to the NEW queue for any
other purpose.

In the past I have tried to seed a peer review process of the packages in NEW
(http://wiki.debian.org/CopyrightReview), when the backlog was of hundreds of
packages. I detected some problems, which were corrected before the FTP team
processed the package. In one case, the maintainer even completely retracted
the package. I hope that all of this saved some of your time. But I could only
do this of packages that were available on mentors.d.n or in a VCS, because of
the restriction on the read access to the NEW queue on the ftpmaster mirror.

If because you do not trust the other DDs to respect the rules, that packages
in the NEW queue must not be resdistributed before they are accepted, then yes,
you have to do the work alone. If we do not think that the DDs respect the
rules (http://www.debian.org/devel/dmup, in which we could add a note about NEW
packages before opening up the mirror), how can we tell our users that our
system is secure?

Have a nice day,


Reply to: