[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Naming of non-uploading DDs

Lucas Nussbaum <lucas@lucas-nussbaum.net> writes:

> If we go for DDs without upload rights, I think that we should be
> extremely careful about not transforming this new kind of DDs into
> second-class members of the project. A way to do that is to avoid giving
> them a name, and emphasize the fact that they are DDs, not another
> sub-kind of project members. The "no upload rights" part would just be a
> minor technical distinction.

I wholeheartedly second this.

I'm one of the people who has previously argued for giving different sets
of privileges different names, but after reviewing this thread, I think I
was wrong.  I don't think we should so that at all.

DDs already have widely varying privileges.  We have different levels of
commit access to various project repositories.  Some of us have logins on
some systems that others do not.  I have sudo access to lintian, for
example, which most other DDs do not.  Some are DSA members and have root
access to many project systems.  Some are ftp-master team members and have
more direct access to the project archive.  There are numerous other
examples.  Yet we're all currently called DDs.

I think unlimited upload access should be simply another one of those sets
of permissions that some people have and others don't.  Those who need
that access to do their work can receive it after appropriate vetting of
their ability to use that access appropriately, just as someone would
volunteer to join ftp-master, or DSA, or keyring-maint, or the Lintian
maintenance team and would, after appropriate vetting, be given additional
privileges to do that work.  Having or not having additional access should
not change the basic DD status.

In fact, we should all be striving to follow the principle of least
privilege and *not* have access that we don't need and don't use, since
unused access is one of the primary vulnerabilities to any sort of
organizational security.  In the long run, I'd love to see a mechanism
whereby someone who was qualified for unlimited upload access but doesn't
need it for their current work in Debian could have it turned off, to
reduce Debian's attack surface, and then regain it later if the nature of
their work in Debian changes.

Similarly, along that same vein, could we stop calling it "upload rights"
and instead call it "upload access"?  "Rights" has connotations (at least
to this US English speaker) of citizenship, fundamental rights, and
similar ideas, which lead directly to the conception of someone without a
"right" as a second-class citizen of Debian.  I would much rather think of
it as access, just like sudo to a user, membership in some project group,
or commit access to some repository is an access control.  It's a security
and project safety measure following both best practices for access
control and a system of qualification to do something with direct impact
on other people's work (just like qualification for a driver's license is
required since one's operation of a car has a direct impact on other
people's use of their cars).  Someone without a "right" is someone we
think less of; someone without "access" is someone who doesn't need it or
who hasn't yet finished the qualification process for it.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: