[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Q to all candidates: NEW queue



On Friday, March 27, 2020 9:37:28 AM EDT Lucas Nussbaum wrote:
> On 27/03/20 at 09:23 -0400, Scott Kitterman wrote:
> > On Friday, March 27, 2020 8:40:11 AM EDT Lucas Nussbaum wrote:
> > > On 27/03/20 at 12:23 +0100, Martin Pitt wrote:
> > > > At least during my many years of Ubuntu archive administration I've
> > > > actually seen quite a lot of packages which contained
> > > > non-distributable
> > > > files, had hilariously broken maintainer scripts (which could then
> > > > also
> > > > damage *other* software on your system), and the like. For these an
> > > > initial NEW review was quite important.
> > > > 
> > > > That proposal is assuming that the "package gets reviewed, a bug is
> > > > filed"
> > > > step actually happens timely, but that is precisely the problem --
> > > > with
> > > > such a workflow we would essentially stop having NEW review and just
> > > > hope
> > > > that someone catches bad packages before they get released. So IMHO
> > > > this
> > > > is not a solution, and only causes buggy packages to creep into
> > > > unstable.
> > > 
> > > So in my original mail, I proposed that new packages would get
> > > immediately accepted into unstable, but would still require a review
> > > before migrating to testing. I believe that it's an interesting
> > > compromise,
> > > because:
> > > - while in unstable, they would get tested by our regular QA tools, that
> > > 
> > >   are likely to find some of the issues ftpmasters would have found
> > > 
> > > - it makes it possible for the maintainer to get early feedback from
> > > 
> > >   users, and to continue working on packaging reverse dependencies.
> > > 
> > > - it's unstable, so even if it's severely broken, it's probably not a
> > > 
> > >   big deal. We have lots of packages in unstable that have been severely
> > >   broken for years anyway.
> > > 
> > > - it protects 'testing' (and our stable releases) from unreviewed
> > > 
> > >   packages.
> > > 
> > > Of course this only works if Debian doesn't get sued for copyright
> > > infringement too often. I wonder if that would be a problem (it's
> > > probably less likely to be a problem for packages in 'main' than for
> > > packages in 'non-free').
> > > 
> > > Lucas
> > 
> > What's "too often"?
> 
> I don't know. Has it happened in the past? How frequently does ftpmaster
> run into things that would/could trigger a lawsuit?

I'm not aware of it ever happening and I think that's the acceptable 
frequency.  Such lawsuits are insanely expensive to defend.  I don't know how 
often it happens, it's not like we track it that way.  We did catch one really 
high risk package this month and it wasn't the code that was risky, it was the 
data.  So it happens.

Scott K

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: