Sven Mueller <[EMAIL PROTECTED]> writes: > Come on, the NM process isn't about trust (except for the GPG signature > part). It's (if that) about skills. And it's about endurance. I'm not > saying this is a bad thing, but pretending that the NM process builds up > trust is just plain wrong.
There is actually a non-trivial correlation between endurance and trust. If a hypothetical person wished to become a DD in order to do damage, the amount of time investment required for such an attack is prohibitive for all but the most determined. I think NM could be made much faster without a significant change in that analysis, but don't disregard the correlation completely. A process that takes a few months on the average does establish a significantly higher level of trust than a process that averages only a few days. Having a process that takes a significant length of time does tend to filter out anyone who isn't willing to make a long-term committment, and most attacks aren't worth that sort of long-term committment in the eyes of the attacker. Personally, I think a process shorter than six to nine months elapsed time from first contact to the project to becoming a DD would be a bad idea, not just for this reason but because I think asking people to demonstrate some degree of dedication and on-going effort on Debian before becoming a DD is quite reasonable and desirable. Now, first contact doesn't have to start with the NM application; if someone has been contributing to the project actively for some time, I have no problem with their application moving faster once they submit it. This isn't unusual. Most free software projects I've been involved with required a similar ongoing committment of work to be given direct commit privileges. In other words, I think NM should possibly be twice as fast as it currently is (and plan on at least trying to volunteer to be an AM as soon as my year waiting period is up to do my part), but I don't think it should be an order of magnitude faster. I was actually reasonably comfortable and content with the length of time it took my application to be processed (about seven months, plus an additional three or four months of work on Debian before I applied); if we can get all applicants up to that same level and maintain it, I think we'd be doing fine. I can also say from personal experience that the task-based T&S checks Marc did for me were excellent and felt a lot more rewarding than just answering questions would have been. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
