On Wednesday 14 March 2007, Bastian Venthur wrote: > Anthony Towns schrieb: > > My theory is that we should do something like this: > > > > 1) create a class of contributors called "debian maintainers"
> My first thought: do we really need this new class of contributors? I
> mean how many people do you currently know fitting in this category
> (don't like to become DD just maintainers). I guess there will be some,
Well me for one:
I've been actively involved with Debian for years (as a translator since
march 2003, and as non-DD maintainer of 1 simple package since may 2005).
Despite having been involved for years I still haven't bothered to go
through the whole NM-process, and that's not because I think I can't pass
it, but simply because I'm not looking forward to starting a long,
drawn-out process (average time to complete NM is what? 6 months to a
year?)
As to why being able to upload my 1 package and only my one package would be
a positive thing, consider the following:
Several times now my sponsor was travelling, just plain busy or otherwise
unavailable (I think the worst such delay was about a month), that's not
worldshocking but it does increase turnaround.
Also not being able to upload directly I tend to pool non-critical uploads
more then I otherwise would (for instance I won't bug my sponsor with a
package update containing just 1 new debconf translation), again leading to
turnaround being slower.
-> is this critical? No, if I had a critical bug and my sponsor is
unavailable I could probably find some DD willing to upload quickly
enough
-> is this suboptimal? IMHO definately
> My second thought: Should we really allow anonymous people to upload
> packages? Shouldn't they at least prove that they are who they claim to
> be (via gpg-key singed by an existing DD)?
This proposal has effects on 2 kinds of contributors:
1) long-time proven non-DD maintainers (for some definition of long-time
and proven)
-> they get a more effective workflow
2) the DD's sponsoring the upload of those maintainers
-> they get to reduce their workload
so IMO we're not talking about 'anonymous people' at all.
As for the 'having a signed gpg-key', I don't see any problem having that as
a requirement, anyone who's been actively involved with Debian for a while
is unlikely not to meet this anyway.
> Who is responsible if a maintainer uploads malware, the one who
> recommended him? Can we really expect those DDs to take full
> responsibility if they aren't forced to check every package like they
> currently have to do when sponsoring?
Currently you often have a situation where a particular DD has been
sponsoring uploads for a particular package by a particular
non-DD-maintainer for a long time.
My guess is that in most such cases sufficient trust will have built that
the DD will mostly upload the update after a cursory glance (especially if
he's otherwise busy). This is basic human nature and so probably pointless
to fight against.
> What is our current NM-process for? Especially all those tests you have
> to go through. Is it just for the right to vote and the access to our
> machines?
Being a full DD grants AFAIK the following:
- voting rights
- access to debian machines
- access to debian-private
- being able to NMU any package
- being able to introduce new packages without having to find a sponsor
- debian email adres
- (I also seem to recall something about subcriptions to... was it lwn?)
that's a lot broader then "being able to upload new versions of a particular
package"
--
Cheers, cobaco (aka Bart Cornelis)
pgp6QIQ2QIvqt.pgp
Description: PGP signature
