On 25 July 2013 02:42, Scott Kitterman <[email protected]> wrote: > On Thursday, July 25, 2013 02:17:21 AM Mark Shuttleworth wrote: >> On 23/07/13 23:36, Iain Lane wrote: >> > I'm not sure what additional/different quality control would be >> > necessary. Is your concern that by not being Ubuntu members these folk >> > don't have skin in the game and therefore might be less careful in >> > their work in Ubuntu? I think that a necessary component of any >> > successful application to the DMB should be that the board satisfies >> > itself of the individual's technical competence and trustworthinesss. >> > Beyond that, both members and non-members can screw up and we (the >> > developer community at large) would deal with either in the same way. >> > Cheers, >> >> Accepted that mistakes happen, and our governance should not aim for a >> false sense of security. >> >> My main thought was that we always want to ensure that there are active >> forces steering things in the right direction. My concern would be, if a >> person 'leads' a packageset and gives another person permission to >> upload, who then drifts away, that we may be vulnerable to a social >> attack if their keys were compromised. The Forums hack seems to have >> been exactly this - one admin gave another access years ago, and then >> that'caused an issue today. > > The packagesets where we thought we MIGHT make membership optional are not > ones related to the various flavors and none of them are ones that have > delegated authority to make people developers. There are packagesets that are > a matter of administrative convenience, e.g. instead of PPU for 5 related > packages, here's a small packageset that we'll let you upload to. For these > kinds of cases, PPU for X packages or create a packageset is only an > adminstrative difference. > > As a practical matter, I expect this new option to primarily apply to Debian > developers that are someone interested in their packages in Ubuntu, but not > making a major commitment to it. If their keys get compromised we're in > trouble whether they have upload rights to Ubuntu or not. > > Scott K >
In this given scenario, do we have a list of occasions where Debian developers wanted to make a change and were unable (or unwilling?) to find sponsorship for their package? It feels like the burden of requesting upload access is heavier than that of finding a sponsor, but this is based on my assumptions that could well be invalid. Either way, it would be good to add support based on documented evidence. If we make it easier for DD's to get upload access, then I fear we reduce our quality control that DMB currently provides which ensures that the potential uploader has a good understanding of the Ubuntu ecosystem. To me, it feels that the criteria of ~ubuntu-membership is a reasonable standard to measure this. -- Kind Regards, Dave Walker -- technical-board mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/technical-board
