On Thu, Sep 6, 2012 at 10:28 AM, Duncan Coutts <duncan.cou...@googlemail.com > wrote:
> On 5 September 2012 20:22, Erik Hesselink <hessel...@gmail.com> wrote: > > >> Also, we haven't had a single problem that I'm aware of on Ross > Paterson's > >> watch as bouncer for Hackage 1. The point I'm trying to make is that > a > >> technical solution imposes additional administrative and technical > overhead > >> whereas social processes can also be very effective while also handling > >> corner cases more gracefully. > > > > I don't see how a technical solution (which is already implemented, by > > the way) introduces *more* overhead than a manual solution. Also, the > > fact that we haven't had any problems doesn't mean we won't in the > > future. We don't have to wait before something goes wrong to fix it. > > As I think you know, I'm definately in favour of the per-package > maintainer group stuff. > > Let me make one more argument: even if we don't in practice have > problems with people uploading packages they shoudn't, it'll make > everyone *feel* better (that is, package maintainers and users). We do > get a bit of stick for the current lack of security (not just this > issue but about the lack of tamper profing / detecting). > > Additionally, if you decide that you would prefer to allow anyone to > upload without having to get manual approval to be in the uploader > group, then the per-package maintainer group becomes very useful. You > could have more or less a free for all in uploading new names, but > nobody can subvert existing names. > > (We would still have the problem of people taking all the good package > names for crappy packages, but that's another issue) > > I understand we're not planning on importing the accounts from the old > server. Could someone explain the issue there? I'd assumed we'd do > that for a smoother changeover (and to set up the initial maintainer > groups). > > Duncan I'm a little bit confused on the exact set up. The uploaders group seems to be roughly the same thing as the trustees group. (Except uploaders has an AND relationship with per-package groups as far as membership requirements for upload, and trustees has an OR relationship). To my knowledge, It's technically possible to import the old accounts. Matt
_______________________________________________ cabal-devel mailing list cabal-devel@haskell.org http://www.haskell.org/mailman/listinfo/cabal-devel
