Re: The Debian Mentors Project

[Fabio Massimo Di Nitto]

Hi,

On Tue, 13 May 2003, Christoph Haas wrote:

> Hi, Fabio...
>
> On Tue, May 13, 2003 at 10:16:38PM +0200, Fabio Massimo Di Nitto wrote:
> > Really nice job but the first side effect is already there:
> >
> > Package: icaclient
>
> Thanks for the hint. That was a test package I was uploading to stress
> test the dupload process on the server. It wasn't really meant to stay
> there. :)

ehhe well i had no way to know :-)

> > I think upload must be moderated somehow.
>
> Let's see. I hope that the users are not misusing our server to upload
> pornography or warez. In fact we are checking the uploads in regular
> intervals and will kick those users and their packages out. A completely
> moderated dupload process will IMHO slow the whole process down.

Then i think that the suggestion made in another post to somehow limit the
download would be enough. In this way there will be noway to redistribute
illegal stuff around and people will not be tempted to do so from the
beginning.

Fabio

-- 
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues

http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp4.html

Re: The Debian Mentors Project

[Fabio Massimo Di Nitto]

Hi,

On Tue, 13 May 2003, Emile van Bergen wrote:

> Hi,
>
> On Tue, May 13, 2003 at 10:16:38PM +0200, Fabio Massimo Di Nitto wrote:
>
> > I think upload must be moderated somehow. Even the uploader himself claim
> > that he is unsure about licence of the product.
>
> Well, if the packages can only be downloaded by registered DDs, then the
> problem's solved I'd say?

Yes probably it is. Leaving the upload free and let only DDs download is
a solution.

Fabio

-- 
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues

http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp4.html

Re: The Debian Mentors Project

[Fabio Massimo Di Nitto]

Hi,

On Tue, 13 May 2003, Rene Engelhard wrote:

> And that looks like it is f*cked. Is this Depends: done manually?
> I do not thing dpkg-shlibdeps did that. Where is libc6?

Actually i was only worried about the licence because i know it can't be
there. We use it at work :-)

Fabio

-- 
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues

http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp4.html

Re: The Debian Mentors Project

[Matthew Palmer]

On Mon, 12 May 2003, tony mancill wrote:

> Appropos of this and Colin's statement, my suggestion is to make only a
> deb-src URL available on the site, and to only host source packages.  For

That would be one way to solve the problem.

> packages destined for the Debian archive, it's critical that they be
> reviewed as source, and that they build from source.  I do a fair amount
> of sponsoring, and never have need for a binary of the package being
> sponsored.

Nor have I.  No matter how much you trust the person supplying you with the
package, it's still your signature on the package as it goes into Debian. 
Not checking over the source is likely to cause much grief.


-- 
---
#include 
Matthew Palmer, Geek In Residence
http://ieee.uow.edu.au/~mjp16

Re: The Debian Mentors Project

[Theodore Ts'o]

On Mon, May 12, 2003 at 11:40:04PM -0400, Joe Nahmias wrote:
> 
> If I may make a suggestion, a user should only be able to upload a
> package that either:
> 
> a) doesn't appear in the repository
> 
> - -or-
> 
> b) already has the uploader as maintainer
> 
> - -or-
> 
> c) has a RFA/O bug filed in WNPP
> 

What I would suggest is similar.  If the package has never been
uploaded to the mentors repository, require that it be
moderated/approved by a DD.  After that, a package in the mentor
system can only be superceded by the packages "maintainer" (i.e., the
non-DD who is "responaible" for the package) or a DD.

What, you say people shouldn't trust the binaries for any purpose?  If
so, why have them there in the first place?  Just let it be a place
where the apt deb-src repository can be made available

- Ted

Re: The Debian Mentors Project

[Emile van Bergen]

Hi,

On Tue, May 13, 2003 at 10:16:38PM +0200, Fabio Massimo Di Nitto wrote:

> I think upload must be moderated somehow. Even the uploader himself claim
> that he is unsure about licence of the product.

Well, if the packages can only be downloaded by registered DDs, then the
problem's solved I'd say? 

After all, if I understand correctly, the service is more intended for
use by sponsors who would upload them into unstable after checking, than
directly for users.

Cheers,


Emile.

-- 
E-Advies - Emile van Bergen   [EMAIL PROTECTED]  
tel. +31 (0)70 3906153   http://www.e-advies.nl


pgpOkzrwU5GwX.pgp
Description: PGP signature

Re: The Debian Mentors Project

[Rene Engelhard]

Hi,

Fabio Massimo Di Nitto wrote:
> Really nice job but the first side effect is already there:
> 
> Package: icaclient
> Version: 6.30-2
> Priority: optional
> Section: net
> Maintainer: Christoph Haas <[EMAIL PROTECTED]>
> Depends: libxaw7

And that looks like it is f*cked. Is this Depends: done manually?
I do not thing dpkg-shlibdeps did that. Where is libc6?

> I think upload must be moderated somehow. Even the uploader himself claim
> that he is unsure about licence of the product.

Jup. That is bad.

Christoph: setzen, sechs :)

Regards,

Rene
--
 .''`.  Rene Engelhard -- Debian GNU/Linux Developer
 : :' : http://www.debian.org | http://people.debian.org/~rene/
 `. `'  [EMAIL PROTECTED] | GnuPG-Key ID: 248AEB73
   `-   Fingerprint: 41FA F208 28D4 7CA5 19BB  7AD9 F859 90B0 248A EB73


pgpPfqUIC1O7Q.pgp
Description: PGP signature

Re: The Debian Mentors Project

[Christoph Haas]

Hi, Fabio...

On Tue, May 13, 2003 at 10:16:38PM +0200, Fabio Massimo Di Nitto wrote:
> Really nice job but the first side effect is already there:
> 
> Package: icaclient

Thanks for the hint. That was a test package I was uploading to stress
test the dupload process on the server. It wasn't really meant to stay
there. :)

> I think upload must be moderated somehow.

Let's see. I hope that the users are not misusing our server to upload
pornography or warez. In fact we are checking the uploads in regular
intervals and will kick those users and their packages out. A completely
moderated dupload process will IMHO slow the whole process down.

Again... thanks.

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--3,41 All

Re: The Debian Mentors Project

[Fabio Massimo Di Nitto]

Hi Daniel,

On Mon, 12 May 2003, Daniel K. Gebhart wrote:

> We are very proud to announce the opening of the mentors project. We
> have been working very hard[1] on this project since beginning of 2003.
> Now the time has come to test and use it!

Really nice job but the first side effect is already there:

Package: icaclient
Version: 6.30-2
Priority: optional
Section: net
Maintainer: Christoph Haas <[EMAIL PROTECTED]>
Depends: libxaw7
Architecture: i386
Filename:
dists/unstable/main/binary-i386/icaclient/icaclient_6.30-2_i386.deb
Size: 1452972
MD5sum: 11ddd288ac7fa0e1e52f4bc545988e1b
Description: Citrix ICA client
 The Citrix ICA client is needed to connect to Citrix terminal servers
 (Microsoft Windows-based multi-user servers).
 Caution: This program has a restrictive copyright. Maybe even packaging
 these files or using the packaged installation is illeagl.
installed-size: 3780

I think upload must be moderated somehow. Even the uploader himself claim
that he is unsure about licence of the product.

I did not went trough all the thread so i will keep my mouth shut before
repeating the same stuff over and over :-)

Fabio

-- 
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues

http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp4.html

Re: The Debian Mentors Project

[Drew Scott Daniels]

I'm glad to see this service.

The Developer's Reference lists
http://www.internatif.org/bortzmeyer/debian/sponsor/ as being a place to
co-ordinate the sponsoring of packages. Currently it's unavailable to me
(down?). Other problems I have with it include: no place to upload
packages and it's for "Sponsorship of future Debian developers".

It's a great resource, but "The Debian Mentors Project" takes things a few
steps further. mentors.debian.net provides a place to put packages and a
chance for people to use the Debian system for uploading packages
(dupload, dput...). It also allows for a chance to practice using keys and
signing packages properly.

Alioth takes things in a different direction. Alioth allows non-Dd's to
contribute directly to an active project and provides space to put
packages. Alioth can be thought of as a better spot for packages as it
doesn't easily allow for apt-get lines. Alioth does not allow for (afaik)
the usage of dput and dupload which is good practice for people who want
to become a Debian developer. Alioth doesn't seem to require that its
users want to become Debian developers.

 Drew Daniels

Re: The Debian Mentors Project

[Luca - De Whiskey's - De Vitis]

On Tue, May 13, 2003 at 05:41:12PM +0200, Emile van Bergen wrote:
> That's not mutually exclusive. Also, you ask who would ever wish to
> delegate the maintainership of a package. I think the answer is every DD
> who has filed a RFA on a package.

RFA is a Request For Adoption, not a delegation. There is no sense in makeing
a delegation. If one cannot/don't want to maintain a package any more, he lets
other people to take it (RFA or O).

> I know. However, there are *existing* packages for which DDs don't
> always have enough time or interest. If you think that isn't true, then
> what are all those orphaned packages doing on WNPP?
[...]
> I know. But because of the packages up for adoption, and the orphaned
> packages, I was under the impression that the DDs need help with those
> packages.

So what's the point? there is someone who wants to maintain a package?
Well: he should take it, close as many bugs as possible, produce a good
working release, and bring us a results. Then what? what does he really need? a
repository for his work or a sponsor? Both you'd say, and that's it. For the
former he may use alioth, for the later he needs a place to look for a willing
sponsor.

> If that's not the case, why are those orphaned packages not removed
> outright?

They are periodically removed.

> Well, I didn't see why you would object to the second sentence. If
> somebody's able to maintain a package through a sponsor well, he may
> still have no desire to become a DD.

So that's the point: you didn't got my reply at all. That sentence is unfair
because it blame the NM process, while mentors.debian.net try to be a Debian
subproject. Debian that blames Debian?

> Well, mentors.debian.net exists, whereas the one you're describing does
> not, so apparently people felt more need for the former.

http://www.internatif.org/bortzmeyer/debian/sponsor/

Have you ever seen our "Developer's corner"?

ciao,
-- 
Luca - De Whiskey's - De Vitis  | Elegant or ugly code as well
aliases: Luca ^De [A-Z][A-Za-z\-]*[iy]'\?s$ | as fine or rude sentences have
Luca, a wannabe ``Good guy''.   | something in common: they
local LANG="[EMAIL PROTECTED]" | don't depend on the 
language.

Re: The Debian Mentors Project

[Emile van Bergen]

Hi,

On Tue, May 13, 2003 at 09:48:49AM -0500, Luca - De Whiskey's - De Vitis wrote:

> On Tue, May 13, 2003 at 12:07:12PM +0200, Emile van Bergen wrote:
> [...]
> > Regardless, I actually think it's a wonderful scaleability measure
> > to provide some infrastructure that allows DDs to delegate some of
> > the packaging work to NMs in the queue, who can prove that they are
> > worth their salt, or to non-DDs, who can contribute to the project
> > in a controlled manner that way.
> 
> This is conceptually wrong: if a DD wishes to co-maintain his package,
> Debian offers alioth.d.o which is already up and running; if he wishes
> to delegate...  who wishes to delegate the maintainership of a
> package? I'd rather say that a DD sponsors other non-DD contributions.

That's not mutually exclusive. Also, you ask who would ever wish to
delegate the maintainership of a package. I think the answer is every DD
who has filed a RFA on a package.

There may be DDs who rather see another DD adopt the package, but I
imagine that most will rather see a NM or non-DD adopt it, possibly
sponsored by himself if he has some time remaining for this package,
than seeing it actually orphaned.

This is a different, looser form of delegation than working together on
Alioth on it.

> There is a plenty of ways a NM can contribute/join Debian: packaging
> is only the simpliest. Try to take some job or a package from the QA,
> a task from http://www.debian.org/devel/todo/ or anything that can
> came out from the "Developer's corner" section on the main site.
> Non-DDs contributing in this way do not help Debian: have you ever
> read of our lacks of packages? You don't, because we haven't. 

I know. However, there are *existing* packages for which DDs don't
always have enough time or interest. If you think that isn't true, then
what are all those orphaned packages doing on WNPP?

> > I think there is a niche for such non-DD contributors.
> 
> No there is not. The fact is that if one wants to contribute Debian,
> that is to say help the DDs, he should work in those fields Debian
> needs help.

I know. But because of the packages up for adoption, and the orphaned
packages, I was under the impression that the DDs need help with those
packages.

If that's not the case, why are those orphaned packages not removed
outright?

> > Allowing DDs to take advantage of the work of lesser gods, whenever that
> > is practical and useful, seems a good thing for all parties concerned.
> 
> that's a pity... there is no one here who feels to be a god: unfortunately,
> there are many outside here that think to be... looser gods.

It's just a phrase. I haven't a clue what looser gods are, BTW.

> Finally, i do not understand why you quoted my mail...
> I was only objecting with this sentence:
> 
>   But becoming a DD is a long and painful way. Many developers just want
>   to make their software available to Debian users but not become DDs.
>   They are invited to upload their packages here and tell other users
>   about this server.

Well, I didn't see why you would object to the second sentence. If
somebody's able to maintain a package through a sponsor well, he may
still have no desire to become a DD.

I agree that the very last sentence is a little questionable; this
function may already be provided by apt-get.org. However, from the
original announcement I understood that the primary target audience is
not the users, but potential sponsors, so that the packages may be (or
remain, in the orphaned case) part of Debian -- if the sponsoring DDs
think they are worthwhile and the packager did a good job that is.

From the original announcement at
http://lists.debian.org/debian-devel/2003/debian-devel-200305/msg00756.html

"This project is a benefit for maintainers (non-DDs) and their sponsors
(DDs). Maintainers are able to upload packagages to mentors.debian.net
and point their sponsors to this server. Sponsors can download and test
this packages by downloading them after expansion their sources.list[2]."

> If you ask me what i think about mentors.debian.net i'd say we do not
> need such a service: i would have made any contributor to use alioth
> (register, work on your favorite package and release it). A better
> service would have been to create a place to coordinate people looking
> for sponsorship with those willing to offer it.

Well, mentors.debian.net exists, whereas the one you're describing does
not, so apparently people felt more need for the former.

Cheers,


Emile.

-- 
E-Advies - Emile van Bergen   [EMAIL PROTECTED]  
tel. +31 (0)70 3906153   http://www.e-advies.nl


pgpetPG5av3hy.pgp
Description: PGP signature

Re: The Debian Mentors Project

[Bob Hilliard]

Christoph Haas <[EMAIL PROTECTED]> writes:

>   However the service
> was created especially for people who e.g. have written an application
> themselves and do not care about becoming a DD.

 I object to the conept of "people who do not care about becoming
a DD"  becoming maintainers of packages.  Permitting prospective
developers to get sponsored packages in Debian is generally accepted
(but not by me), but allowing any random hacker to get a package in
without even starting the new-maintainer process is totally
unacceptable. 

Regards,

Bob
-- 
   _
  |_)  _  |_Robert D. Hilliard<[EMAIL PROTECTED]>
  |_) (_) |_)   1294 S.W. Seagull Way <[EMAIL PROTECTED]>
Palm City, FL 34990 USA   GPG Key ID: 390D6559 

Re: The Debian Mentors Project

[Luca - De Whiskey's - De Vitis]

On Tue, May 13, 2003 at 12:07:12PM +0200, Emile van Bergen wrote:
[...]
> Regardless, I actually think it's a wonderful scaleability measure to
> provide some infrastructure that allows DDs to delegate some of the
> packaging work to NMs in the queue, who can prove that they are worth
> their salt, or to non-DDs, who can contribute to the project in a
> controlled manner that way.

This is conceptually wrong: if a DD wishes to co-maintain his package, Debian
offers alioth.d.o which is already up and running; if he wishes to delegate...
who wishes to delegate the maintainership of a package? I'd rather say that a
DD sponsors other non-DD contributions.

There is a plenty of ways a NM can contribute/join Debian: packaging is only
the simpliest. Try to take some job or a package from the QA, a task from
http://www.debian.org/devel/todo/ or anything that can came out from the
"Developer's corner" section on the main site.

Non-DDs contributing in this way do not help Debian: have you ever read of our
lacks of packages? You don't, because we haven't. Do you want to proove your
salt? You can do the same things a NM can do (see above). You insist in
maintaining a package, well take one and work on alioth in the mean while.

> I think there is a niche for such non-DD contributors.

No there is not. The fact is that if one wants to contribute Debian, that is to
say help the DDs, he should work in those fields Debian needs help.

> Allowing DDs to take advantage of the work of lesser gods, whenever that
> is practical and useful, seems a good thing for all parties concerned.

that's a pity... there is no one here who feels to be a god: unfortunately,
there are many outside here that think to be... looser gods.

> And no, IANADD.

We don't need you to tell us: db.debian.org does it.

Finally, i do not understand why you quoted my mail...
I was only objecting with this sentence:

But becoming a DD is a long and painful way. Many developers just want
to make their software available to Debian users but not become DDs.
They are invited to upload their packages here and tell other users
about this server.

If you ask me what i think about mentors.debian.net i'd say we do not need
such a service: i would have made any contributor to use alioth (register,
work on your favorite package and release it). A better service would have
been to create a place to coordinate people looking for sponsorship with those
willing to offer it.

ciao,
-- 
Luca - De Whiskey's - De Vitis  | Elegant or ugly code as well
aliases: Luca ^De [A-Z][A-Za-z\-]*[iy]'\?s$ | as fine or rude sentences have
Luca, a wannabe ``Good guy''.   | something in common: they
local LANG="[EMAIL PROTECTED]" | don't depend on the 
language.

Re: The Debian Mentors Project

[Josip Rodin]

On Mon, May 12, 2003 at 10:48:03PM +0200, Daniel K. Gebhart wrote:
[...]
> The mentors core-team is: 
[...]
>  the debian mentors core-team

"core team"? So, when can we expect expulsions? >:)

-- 
 2. That which causes joy or happiness.

Please Cc: unless you mail -devel.

Re: The Debian Mentors Project

[Hamish Moffatt]

On Tue, May 13, 2003 at 10:02:11AM +0200, Christoph Haas wrote:
> You are right. I do plan to apply in a few weeks. However the service
> was created especially for people who e.g. have written an application
> themselves and do not care about becoming a DD. 

Is that such a good thing? It might get us an initial package of some
new software, but will it get us a package that is continually and well
maintained?

We already have hundreds (if not thousands) of poor quality packages;
I don't think we need new technology to churn these out.

Hamish
-- 
Hamish Moffatt VK3SB <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>

Re: The Debian Mentors Project

[Andreas Metzler]

On Tue, May 13, 2003 at 03:51:42PM +1000, Anthony Towns wrote:
> On Mon, May 12, 2003 at 10:48:03PM +0200, Daniel K. Gebhart wrote:
> > ---
> > Debian Mentors Project
> 
> > The mentors core-team is: 
> >   Christoph Haas (ChrisH)<[EMAIL PROTECTED]>
> >   Ivo Marino (eim)   <[EMAIL PROTECTED]>
> >   Daniel K. Gebhart (con-fuse)   <[EMAIL PROTECTED]>
> >   Christoph Siess (CHS)  <[EMAIL PROTECTED]>
 
> Uh, as far as I can tell, of the above only Daniel is even in the
> n-m queue; Christoph, Ivo and Christoph appear to not be developers,
> applicants, or even sponsored maintainers of any packages in the archive.
 
> ]  In longer terms: only registered Debian developers (DD) are allowed to
> ]  upload packages directly into the official Debian distribution. But
> ]  becoming a DD is a long and painful way.
 
> Daniel applied to be a maintainer on 2003-03-18 and was assigned an
> application manager nine days ago, according to nm.debian.org. Why are
> we giving debian.net addresses to people who don't want to go through
> the "pain" of authenticating themselves to Debian, demonstrating they
> no what they're doing, and agreeing with Debian's principles?

I do not think that the fact that they have not applied yet,
can be taken as sign that they "don't want to go through
the "pain" of authenticating themselves to Debian, demonstrating
they no what they're doing, and agreeing with Debian's principles".

They might simply not feel ready, one should start the NM process,
when (s)he is ready for T&S and PP and has an advocate. NM is just the
"final exam", and no "How to be DD in 6 months" course.
   cu andreas
-- 
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"


pgpIsQ1ZjmQtf.pgp
Description: PGP signature

Re: The Debian Mentors Project

[Craig Small]

On Mon, May 12, 2003 at 09:33:50PM -0700, tony mancill wrote:
> Appropos of this and Colin's statement, my suggestion is to make only a
> deb-src URL available on the site, and to only host source packages.  For
> packages destined for the Debian archive, it's critical that they be
> reviewed as source, and that they build from source.  I do a fair amount
> of sponsoring, and never have need for a binary of the package being
> sponsored.

As a long-time sponsor of a few people and packages (but nothing like
the tmancill sponsor/advocate machine) I'd have to agree with Tony.

I only use the tar.gz, diff and dsc from my sponsors. So the deb-src
is a good idea.

  - Craig

-- 
Craig Small VK2XLZ  GnuPG:1C1B D893 1418 2AF4 45EE  95CB C76C E5AC 12CA DFA5
Eye-Net Consulting http://www.enc.com.au/<[EMAIL PROTECTED]>
MIEEE <[EMAIL PROTECTED]> Debian developer <[EMAIL PROTECTED]>

Re: The Debian Mentors Project

[Emile van Bergen]

Hi,

On Tue, May 13, 2003 at 04:34:08AM -0500, Luca - De Whiskey's - De Vitis wrote:

> On Tue, May 13, 2003 at 10:02:11AM +0200, Christoph Haas wrote:
> > Please bear with me but from what I was told by a number of package
> > maintainers it is a really long way until one has become a DD. Just
> > because Daniel was assigned an AM does not mean there is a guarantee he
> > will get his DD access in the next weeks. I doubt that.
> 
> That's may be true or not: i joined Debian in less than a month. There
> are many factors around that issue.
> 
> I want to add my two euro-cents too: IMHO is very unfair, for a Debian
> project, to blame another Debian Project or Debian it self (NM is part of
> Debian).
> More over, it seems to me that you intend to help any non-Debian developer to
> distribute his software regardless of the fact he may want or not to join
> Debian: that's why i also don't see the point in haveing such a sentence.

Regardless, I actually think it's a wonderful scaleability measure to
provide some infrastructure that allows DDs to delegate some of the
packaging work to NMs in the queue, who can prove that they are worth
their salt, or to non-DDs, who can contribute to the project in a
controlled manner that way.

I think there is a niche for such non-DD contributors. Not only in
bugreporting and bugfixing, but also in packaging work. The number of
packages is already huge, and arguably more than the DDs can handle,
if you look at the number of orphaned packages.

Of course, if nobody cares about them, they should be removed, but it
may very well be that no DD cares about them enough to continue doing
all the packaging work, while other people do care and are willing to
work through a sponsor.

Allowing DDs to take advantage of the work of lesser gods, whenever that
is practical and useful, seems a good thing for all parties concerned.

And no, IANADD.

Cheers,


Emile.

-- 
E-Advies - Emile van Bergen   [EMAIL PROTECTED]  
tel. +31 (0)70 3906153   http://www.e-advies.nl


pgpM3uXEUAtYx.pgp
Description: PGP signature

Re: The Debian Mentors Project

[Luca - De Whiskey's - De Vitis]

On Tue, May 13, 2003 at 10:02:11AM +0200, Christoph Haas wrote:
> Please bear with me but from what I was told by a number of package
> maintainers it is a really long way until one has become a DD. Just
> because Daniel was assigned an AM does not mean there is a guarantee he
> will get his DD access in the next weeks. I doubt that.

That's may be true or not: i joined Debian in less than a month. There
are many factors around that issue.

I want to add my two euro-cents too: IMHO is very unfair, for a Debian
project, to blame another Debian Project or Debian it self (NM is part of
Debian).
More over, it seems to me that you intend to help any non-Debian developer to
distribute his software regardless of the fact he may want or not to join
Debian: that's why i also don't see the point in haveing such a sentence.

ciao,
-- 
Luca - De Whiskey's - De Vitis  | Elegant or ugly code as well
aliases: Luca ^De [A-Z][A-Za-z\-]*[iy]'\?s$ | as fine or rude sentences have
Luca, a wannabe ``Good guy''.   | something in common: they
local LANG="[EMAIL PROTECTED]" | don't depend on the 
language.

Re: The Debian Mentors Project

[Michael Banck]

On Tue, May 13, 2003 at 03:51:42PM +1000, Anthony Towns wrote:
> >   Daniel K. Gebhart (con-fuse)   <[EMAIL PROTECTED]>
> >   Christoph Siess (CHS)  <[EMAIL PROTECTED]>
 
> Why are we giving debian.net addresses to people who don't want to go
> through the "pain" of authenticating themselves to Debian,

At least both Daniel's and Christoph's GPG key are signed by numerous
DDs, so I think they authenticated.


Disclaimer: I am one the guys who signed their key

Michael

-- 
 bah, docbook-doc has bogus documentation

Re: The Debian Mentors Project

[Colin Watson]

On Tue, May 13, 2003 at 08:30:03AM +0100, Mark Brown wrote:
> On Tue, May 13, 2003 at 01:29:00AM +0100, Colin Watson wrote:
> > On Mon, May 12, 2003 at 05:41:40PM -0600, Jack Moffitt wrote:
> > > Perhaps an easy thing to do would just be to show whether or not a
> > > pckage is signed by a key which is signed by a real debian developer.
> 
> > Surely getting that signature is the whole point of the system in the
> > first place?
> 
> I think the suggestion is that the key signing the package is signed by
> a developer, not that the package itself is signed.

Oh yes; thanks, I misread. I'm still not sure it's practical, though; in
practice, people do try to do development before getting their identity
check sorted out.

-- 
Colin Watson  [EMAIL PROTECTED]

Re: The Debian Mentors Project

[Christoph Haas]

Hi, Anthony...

On Tue, May 13, 2003 at 03:51:42PM +1000, Anthony Towns wrote:
> Uh, as far as I can tell, of the above only Daniel is even in the
> n-m queue; Christoph, Ivo and Christoph appear to not be developers,
> applicants, or even sponsored maintainers of any packages in the archive.

You are right. I do plan to apply in a few weeks. However the service
was created especially for people who e.g. have written an application
themselves and do not care about becoming a DD. I could imagine that a
lot of people will upload their packages to our server and then post in
debian-mentors that they seek a sponsor and their package has already
been uploaded. Time will tell.

> ]  In longer terms: only registered Debian developers (DD) are allowed to
> ]  upload packages directly into the official Debian distribution. But
> ]  becoming a DD is a long and painful way.

> Daniel applied to be a maintainer on 2003-03-18 and was assigned an
> application manager nine days ago, according to nm.debian.org. Why are
> we giving debian.net addresses to people who don't want to go through
> the "pain" of authenticating themselves to Debian, demonstrating they
> no what they're doing, and agreeing with Debian's principles?

Please bear with me but from what I was told by a number of package
maintainers it is a really long way until one has become a DD. Just
because Daniel was assigned an AM does not mean there is a guarantee he
will get his DD access in the next weeks. I doubt that.

Be assured that we do completely agree with the social contract the GPL
and in general the Debian principles. Our main motivation to bring up
this service was that there are a lot of developers who read
nm.debian.org and didn not want to become DDs. I understand that a
complex process is needed to keep the distribution clean. However just
this complexity may easily drive people away who could well be an asset
to the community.

I don't mind authenticating myself to Debian. In fact I would really
like to do it. It is less a matter of "wanting".

Enough with _my_ two euro-cents. :)

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--3,41 All

Re: The Debian Mentors Project

[Emile van Bergen]

Hi,

On Tue, May 13, 2003 at 03:51:42PM +1000, Anthony Towns wrote:

> On Mon, May 12, 2003 at 10:48:03PM +0200, Daniel K. Gebhart wrote:
> > ---
> > Debian Mentors Project
> 
> > The mentors core-team is: 
> >   Christoph Haas (ChrisH)<[EMAIL PROTECTED]>
> >   Ivo Marino (eim)   <[EMAIL PROTECTED]>
> >   Daniel K. Gebhart (con-fuse)   <[EMAIL PROTECTED]>
> >   Christoph Siess (CHS)  <[EMAIL PROTECTED]>
> 
> Uh, as far as I can tell, of the above only Daniel is even in the
> n-m queue; Christoph, Ivo and Christoph appear to not be developers,
> applicants, or even sponsored maintainers of any packages in the archive.
> 
> ]  In longer terms: only registered Debian developers (DD) are allowed to
> ]  upload packages directly into the official Debian distribution. But
> ]  becoming a DD is a long and painful way.
> 
> Daniel applied to be a maintainer on 2003-03-18 and was assigned an
> application manager nine days ago, according to nm.debian.org. Why are
> we giving debian.net addresses to people who don't want to go through
> the "pain" of authenticating themselves to Debian, demonstrating they
> no what they're doing, and agreeing with Debian's principles?

It seems that it's harmless, and its potential usefulness for the
sponsors and/or AMs, who /are/ DDs, could warrant a debian.net name,
can't it?

That no DD had to spend much energy to set this up is only a good thing,
isn't it?

In short, why pick on this useful initiative?

Cheers,


Emile.

-- 
E-Advies - Emile van Bergen   [EMAIL PROTECTED]  
tel. +31 (0)70 3906153   http://www.e-advies.nl


pgpQePf62zWoU.pgp
Description: PGP signature

Re: The Debian Mentors Project

[Mark Brown]

On Tue, May 13, 2003 at 01:29:00AM +0100, Colin Watson wrote:
> On Mon, May 12, 2003 at 05:41:40PM -0600, Jack Moffitt wrote:

> > Perhaps an easy thing to do would just be to show whether or not a
> > pckage is signed by a key which is signed by a real debian developer.

> Surely getting that signature is the whole point of the system in the
> first place?

I think the suggestion is that the key signing the package is signed by
a developer, not that the package itself is signed.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."


pgpA1NrpfTMtq.pgp
Description: PGP signature

Re: The Debian Mentors Project

[Anthony Towns]

On Mon, May 12, 2003 at 10:48:03PM +0200, Daniel K. Gebhart wrote:
> ---
> Debian Mentors Project

> The mentors core-team is: 
>   Christoph Haas (ChrisH)<[EMAIL PROTECTED]>
>   Ivo Marino (eim)   <[EMAIL PROTECTED]>
>   Daniel K. Gebhart (con-fuse)   <[EMAIL PROTECTED]>
>   Christoph Siess (CHS)  <[EMAIL PROTECTED]>

Uh, as far as I can tell, of the above only Daniel is even in the
n-m queue; Christoph, Ivo and Christoph appear to not be developers,
applicants, or even sponsored maintainers of any packages in the archive.

]  In longer terms: only registered Debian developers (DD) are allowed to
]  upload packages directly into the official Debian distribution. But
]  becoming a DD is a long and painful way.

Daniel applied to be a maintainer on 2003-03-18 and was assigned an
application manager nine days ago, according to nm.debian.org. Why are
we giving debian.net addresses to people who don't want to go through
the "pain" of authenticating themselves to Debian, demonstrating they
no what they're doing, and agreeing with Debian's principles?

Cheers,
aj

-- 
Anthony Towns <[EMAIL PROTECTED]> 
I don't speak for anyone save myself. GPG signed mail preferred.

  ``Dear Anthony Towns: [...] Congratulations -- 
you are now certified as a Red Hat Certified Engineer!''


pgpVVJHn3tLBG.pgp
Description: PGP signature

Re: The Debian Mentors Project

[tony mancill]

On Tue, 13 May 2003, Daniel K. Gebhart wrote:

> Matthew Palmer <[EMAIL PROTECTED]> wrote Tue, May 13, 2003 at 08:36:12AM 
> +1000:
> > *very* serious problem for anyone who starts relying on the binary packages
> > uploaded to m.d.n.  What sort of protections do you have in place or plan to
> > put in place to protect against this sort of thing?
>
> The mentors project is not something like apt-get.org! Hosting stable
> and safe packages is not our goal. We are responsible for the contact
> between maintainers and sponsors. Not between maintainers and users.

Appropos of this and Colin's statement, my suggestion is to make only a
deb-src URL available on the site, and to only host source packages.  For
packages destined for the Debian archive, it's critical that they be
reviewed as source, and that they build from source.  I do a fair amount
of sponsoring, and never have need for a binary of the package being
sponsored.

Cheers,
tony
<[EMAIL PROTECTED]

Re: The Debian Mentors Project

[Joe Nahmias]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ivo Marino wrote:

Checking application/pgp-signature: FAILURE
- -- Start of PGP signed section.
> On Tue, 13 May 2003, Matthew Palmer wrote:
> > It appears as though anyone who has an account can upload any package they
> > like.  While this isn't a pressing problem for sponsors (since they'll be
> > collecting source and checking the signatures on the .dsc), this could be a
> > *very* serious problem for anyone who starts relying on the binary packages
> > uploaded to m.d.n.  What sort of protections do you have in place or plan to
> > put in place to protect against this sort of thing?
> >
> If someone can allready point out an eventual solution for this problem
> we'll open to consider any suggestion in order to improve the system.

If I may make a suggestion, a user should only be able to upload a
package that either:

a) doesn't appear in the repository

- -or-

b) already has the uploader as maintainer

- -or-

c) has a RFA/O bug filed in WNPP


That should provide a first line of defense against trojan packages.


Just my $0.02.  Thanks again for the great service!


Joe Nahmias, DD wannabe
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+wGkTKl23+OYWEqURAgQXAJ9eGulgQVmFNXWWKA4wjsXsE6rBpQCgzmXU
HZOK/xdP8In+D2KLotkkSdk=
=MZ9j
-END PGP SIGNATURE-

Re: The Debian Mentors Project

[Matthew Palmer]

On Tue, 13 May 2003, Daniel K. Gebhart wrote:

> Matthew Palmer <[EMAIL PROTECTED]> wrote Tue, May 13, 2003 at 08:36:12AM 
> +1000:
> > *very* serious problem for anyone who starts relying on the binary packages
> > uploaded to m.d.n.  What sort of protections do you have in place or plan to
> > put in place to protect against this sort of thing?
> 
> The mentors project is not something like apt-get.org! Hosting stable
> and safe packages is not our goal. We are responsible for the contact
> between maintainers and sponsors. Not between maintainers and users.

>From the front page of mentors.debian.net:

"Welcome to the debian-mentors public software repository. In short terms
this is a free (no costs, no obligations) server which allows maintainers of
Debian GNU/Linux packages to offer them here. Other Debian users are invited
to download these packages using the handy apt-get utility."

I'll highlight a part for you:

"Other Debian users are invited to download these packages".

Care to try again?


-- 
---
#include 
Matthew Palmer, Geek In Residence
http://ieee.uow.edu.au/~mjp16

Re: The Debian Mentors Project

[Colin Watson]

On Mon, May 12, 2003 at 05:41:40PM -0600, Jack Moffitt wrote:
> Ivo Marino wrote:
> > Of course we can't actually ensure that all uploaded packages on the
> > system are secure, for now we trust the testers of the system but in
> > future we'll introduce higher security standards.
> > 
> > If someone can allready point out an eventual solution for this problem
> > we'll open to consider any suggestion in order to improve the system.
> 
> Perhaps an easy thing to do would just be to show whether or not a
> pckage is signed by a key which is signed by a real debian developer.
> Ie, use the web of trust.  Then at least one can be reasonable sure that 
> the maintainer is real.

Surely getting that signature is the whole point of the system in the
first place?

I'd be half-inclined to make the download password-protected; anyone can
get a valid password just by asking, but the expectation is that only
developers should be downloading the packages, and this discourages
people from shoving it into apt lines.

-- 
Colin Watson  [EMAIL PROTECTED]