Quoting Ximin Luo (2017-01-05 13:51:00) > Jonas Smedegaard: >> Quoting Ximin Luo (2017-01-05 12:53:00) >>> Pirate Praveen: >>>> On വ്യാഴം 05 ജനുവരി 2017 04:22 വൈകു, Jérémy Lal wrote: >>>>> This is great, but is this serious ? >>>>> Anyone knows what's happening ? [...] >>>> I'm taking a packaging workshop at College of Engineering Pune [1]. >>>> >>>> This is 4th day of the workshop and many have completed their packages >>>> and are ready for upload. [...] >>> Hi, please don't add these people. >>> >>> People in the alioth group have read-write access to all >>> pkg-javascript git repos as well as shell access on that machine. >>> >>> I don't think it's right to give this many people, who show up at an >>> event, this level of access without any other requirement. It is too >>> dangerous. [...] >> We do not in this team have any rules for membership that one must >> first prove her worth by packaging outside of Debian, not that they >> must use their spare time doing so! >> >> I am concerned if people requesting to join are fully aware what it is >> they join, which is why I asked about that. But I see nothing wrong >> with approving people we don't know well. > > > > We must recognize that we have little security fencing the assets of > > this team, and treat them accordingly (double-check what you pull, sign > > changes you make, etc.). Making it harder to join this team does *not* > > help secure our assets! > > > > We don't have hard rules, but we all have our ideas about what is > right or wrong. For you, it is a question of "are they aware". For me, > I explained it in my other email, and it roughly overlaps with "are > they aware". > > The security aspect is just one factor, not the main factor.
Ok, you now tell me that security is not the main factor. I clearly read your previous email as if security was the main factor for rejecting these requests. For clarity of discussion I shall *ignore* the security factor. > But to give more detail, (a) just because we have "little" security, > doesn't mean we have to make it quantitatively worse, which we will do > if we add anyone that asks - it adds surface area. And (b) the > standards of time and continual maintenance that I described > elsewhere, also indicates that a person is careful about their general > computing practices, which also helps to not-reduce security - > compared to giving access to a random person. Do I understand you correctly that in your opinion the main factor is devotion to continued mainentance? If so, then we agree on what is "main factor" - but still we disagree on how to then deal with it: It seems Praveen find it reasonable to approve "because they are ready to upload their packages", and it seems you find that exact situation reason for rejecting. I find it neither reject nor approve reason. I welcome into this team any and all persons who feel they are ready to *maintain* official Debian packages. I find it wrong to impose restrictions on that, but I want to emphasize _maintain_ - this team is *not* the Javascript *contribution* team (there are other methods to contribute to Debian in other ways than continuous mainenance). - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel