Hello,
On Sun, 23 Oct 2022, Didier Raboud wrote:
> (Sorry for the delay in getting back to that thread. #life)
Me even worse ;-)
> Specifically, this is something I'd like to discuss in more extensive terms.
> I
> think I'm postulating that Debian would be in a better place with a "Debian
>
Didier Raboud wrote:
> What most respondents have gotten across as the bulk of my proposal seems to
be: "we could limit upload rights to certain packages"
>
> ... where what I was trying to get across was: "we could team-maintain the
core of Debian (and by extension, other subsets)"
Frankly, readi
(Sorry for the delay in getting back to that thread. #life)
What most respondents have gotten across as the bulk of my proposal seems to
be: "we could limit upload rights to certain packages"
... where what I was trying to get across was: "we could team-maintain the
core of Debian (and by exten
On Tue, Oct 18, 2022 at 07:25:39AM -0700, Russ Allbery wrote:
> This is probably my security brain from my day job, but I would prefer to
> be able to drop permissions that I'm not currently using, as long as I can
> get them back easily. It reduces the blast radius of mistakes and
> compromises.
Hi,
* Johannes Schauer Marin Rodrigues [2022-10-12 10:49]:
If I understand what you write correctly, then you propose to put into place a
technical barrier for uploading other people's packages. But that will not
reduce the ownership (or hegemony) of developers over their packages and thus
not
On 10/18/22 16:25, Russ Allbery wrote:
I think there's some merit for being able to
restrict and expand your own permissions
As much as I understand, *self-controlling* your own rights is not the
original proposal.
Cheers,
Thomas Goirand (zigo)
On Tue, 2022-10-18 at 13:00 +0200, Thomas Goirand wrote:
> On 10/18/22 00:07, Charles Plessy wrote:
> > If it is
> > easy for those who need to get archive-wide priviledges, it is also easy
> > to start without that priviledge as a default.
>
> I really would hate having 2 sets of uploading DDs. O
Thomas Goirand writes:
> I really would hate having 2 sets of uploading DDs. One with the
> archive-wide privilege, and the one without. Then you'd need to ask for
> that right, and potentially have to explain why you need it. This is a
> terrible idea, with not enough justification (IMO).
This
On 10/18/22 00:07, Charles Plessy wrote:
If it is
easy for those who need to get archive-wide priviledges, it is also easy
to start without that priviledge as a default.
I really would hate having 2 sets of uploading DDs. One with the
archive-wide privilege, and the one without. Then you'd nee
On Wed, 2022-10-12 at 16:09 -0700, Russ Allbery wrote:
> Pierre-Elliott Bécue writes:
>
> >
>
> Is there some way right now for me to say "any Debian contributor
> with
> upload rights should feel free to merge changes and upload this
> package
> without needing to consult me at all, and I will
Hi Nilesh,
Le Sun, Oct 16, 2022 at 03:16:11PM +0530, Nilesh Patra a écrit :
>
> IMHO the "risk assessment" for most DDs is already done via NM process.
> Usually people are mindful of when they upload, and do ask others
> for opinions when they do NMU's.
The risk assessment I suggest is for the
Hi Charles,
On Sun, Oct 16, 2022 at 01:06:23PM +0900, Charles Plessy wrote:
> Le Wed, Oct 12, 2022 at 12:14:35AM +, Scott Kitterman a écrit :
> >
> > What fraction of security issues we've had in Debian do you think
> > narrower upload permissions would have prevented?
>
> Exactly zero. But
On Sun, Oct 16, 2022 at 01:06:23PM +0900, Charles Plessy wrote:
> Le Wed, Oct 12, 2022 at 12:14:35AM +, Scott Kitterman a écrit :
> >
> > What fraction of security issues we've had in Debian do you think
> > narrower upload permissions would have prevented?
>
> Exactly zero. But my comment i
Le Wed, Oct 12, 2022 at 12:14:35AM +, Scott Kitterman a écrit :
>
> What fraction of security issues we've had in Debian do you think
> narrower upload permissions would have prevented?
Exactly zero. But my comment is not about the past, it is about the
future.
I think that a proper risk as
On Wed, Oct 12, 2022 at 10:19:28PM -0700, Russ Allbery wrote:
> Tobias Frost writes:
> > On Wed, Oct 12, 2022 at 04:09:54PM -0700, Russ Allbery wrote:
>
> >> Is there some way right now for me to say "any Debian contributor with
> >> upload rights should feel free to merge changes and upload this
On 10/12/22 09:25, Pierre-Elliott Bécue wrote:
I can understand your train of thoughts, but to be honest with myself,
I'd rather keep the social limitation rather than enforce a technical
limitation that would prevent me to upload any package and force me to
do $process and wait for someone else'
Tobias Frost writes:
> On Wed, Oct 12, 2022 at 04:09:54PM -0700, Russ Allbery wrote:
>> Is there some way right now for me to say "any Debian contributor with
>> upload rights should feel free to merge changes and upload this package
>> without needing to consult me at all, and I will subscribe t
On Wed, Oct 12, 2022 at 04:09:54PM -0700, Russ Allbery wrote:
> Is there some way right now for me to say "any Debian contributor with
> upload rights should feel free to merge changes and upload this package
> without needing to consult me at all, and I will subscribe to the packages
> feed for t
Pierre-Elliott Bécue writes:
> I really think it's not the matter, to me the matter is package
> ownership. While new contributors should feel that it's mandatory to
> discuss with maintainers, having people clamped so tightly to their
> packages that you don't know if these are actually packages
Hi,
Quoting Didier Raboud (2022-10-07 15:24:23)
> (This is the continuation of an unspecified thread in the debian-private list
> that generated enough positive content that I deemed it smart enough to jump
> off from it, to a public mailing list. I'm not quoting anything from anyone,
> but the
On Fri, Oct 07, 2022 at 03:24:23PM +0200, Didier Raboud wrote:
> Looking at how Ubuntu is structured (with topic teams) made me wonder if some
> variation of that couldn't reasonably be applied to Debian, by dividing our
> giant set in subsets (topic teams, baskets, ...), under clearer team's
>
Didier Raboud wrote on 07/10/2022 at 15:24:23+0200:
> (This is the continuation of an unspecified thread in the debian-private list
> that generated enough positive content that I deemed it smart enough to jump
> off from it, to a public mailing list. I'm not quoting anything from anyone,
> b
On October 11, 2022 11:40:20 PM UTC, Charles Plessy wrote:
>Hi Didier,
>
>An interesting side effect of your proposal is that Debian's security
>will be higer as uploading permissions will not be broad by default.
>And I think that a lightweight processe can be designed to allow DDs to
>expand
Hi Didier,
An interesting side effect of your proposal is that Debian's security
will be higer as uploading permissions will not be broad by default.
And I think that a lightweight processe can be designed to allow DDs to
expand their permissions.
Have a nice day,
--
Charles
On October 10, 2022 7:56:07 AM UTC, Gerardo Ballabio
wrote:
>Didier Raboud wrote:
>> The last aspect would also be to completely remove the source-package-level
>realms; within a subset, there would be no package-specific maintainers or
>vetoes; disputes would move "out" from source-package-le
Didier Raboud wrote:
> The last aspect would also be to completely remove the source-package-level
realms; within a subset, there would be no package-specific maintainers or
vetoes; disputes would move "out" from source-package-level to subset-level.
Uhm. This makes me wonder what the real goal of
I myself am *very* happy to have other Debian people (DDs, DMs) git
push and dput fixes to any of "my" packages. No need for an MNU or
delay or permission: just do it. Zero friction. In the unlikely event
you do something I'm uncomfortable with I'll just revert it and
discuss.
This has nothing to
27 matches
Mail list logo