On 5 September 2012 20:22, Erik Hesselink <hessel...@gmail.com> wrote:
>> Also, we haven't had a single problem that I'm aware of on Ross Paterson's >> watch as bouncer for Hackage 1. The point I'm trying to make is that a >> technical solution imposes additional administrative and technical overhead >> whereas social processes can also be very effective while also handling >> corner cases more gracefully. > > I don't see how a technical solution (which is already implemented, by > the way) introduces *more* overhead than a manual solution. Also, the > fact that we haven't had any problems doesn't mean we won't in the > future. We don't have to wait before something goes wrong to fix it. As I think you know, I'm definately in favour of the per-package maintainer group stuff. Let me make one more argument: even if we don't in practice have problems with people uploading packages they shoudn't, it'll make everyone *feel* better (that is, package maintainers and users). We do get a bit of stick for the current lack of security (not just this issue but about the lack of tamper profing / detecting). Additionally, if you decide that you would prefer to allow anyone to upload without having to get manual approval to be in the uploader group, then the per-package maintainer group becomes very useful. You could have more or less a free for all in uploading new names, but nobody can subvert existing names. (We would still have the problem of people taking all the good package names for crappy packages, but that's another issue) I understand we're not planning on importing the accounts from the old server. Could someone explain the issue there? I'd assumed we'd do that for a smoother changeover (and to set up the initial maintainer groups). Duncan _______________________________________________ cabal-devel mailing list cabal-devel@haskell.org http://www.haskell.org/mailman/listinfo/cabal-devel
