-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In a comment to a thread in d-private that I am not allowed to publish, I wrote regarding packages with non-DDs in the maintainer field:
> I wholeheartedly want help also from non-DDs, I just see a problem > relying on someone that we by definition do not (yet) trust. On Wed, 21 Sep 2005 16:36:35 +0200 Gerfried Fuchs <[EMAIL PROTECTED]> wrote: > * Jonas Smedegaard <[EMAIL PROTECTED]> [2005-09-21 15:00]: > > On Wed, 21 Sep 2005 13:16:12 +0200 Gerfried Fuchs <[EMAIL PROTECTED]> > > wrote: > >> I see a problem relying on quite someone that we by definition > >> _do_ trust yet. > > > > I honestly do not understand you. > > > > You do not rely on Debian? > > Oh, I do rely on Debian. But not neccessarily more on DDs than > non-DDs, which this is all about. Just because someone managed to get > a @d.o address doesn't make him per definition more trustworthy to me. > Especially not if that was done way before the current NM process, or > even then just ages ago. People aren't more relyable just because they > are DDs. People are people, that the are DDs only means that they were > relyable enough over a certain period in time to convince their NM > team. Appart from that... > > There were two people I did AM for, one is more or less MIA, the > other one has resigned if I'm not completely mistaken. Things like > that happen, and I can't follow your reasoning. MIA is one thing (read the developers reference about that[1]). Another is the chance of a package "drifting": Non-DDs sponsored by different DDs for each upload. Yesterday I wanted to backport nvu to sarge. I was surprised to discover that the tarball of nvu 1.0 instead contained 1.0RC - a release candidate for 1.0. I checked the BTS[3] for bugs already on this - - or on some of the many user-visible issues fixed in the latest upstream release - and found in one of the bugreports for the package the comment "i'm searching for a sponsor for the new revision." Probably (but I don't know) the non-DD is not to blame here: I want the uploader to take responsibility for having the software part of Debian. Sponsoring an upload but not the next is not taking responsibility IMHO. Debian is a social structure. If I behave badly then the "punishment" is not so much that I get kicked from Debian (have we ever really done that?) but that my friends in this community laugh, shout or ignore me. Outsiders don't have same risk of social "punishment" - and maybe just as important: we don't have the same possibility of getting out our frustrations. Or more constructive: we don't have same possibility of getting to the core of a problem to understand and learn from it. Not so much because non-DDs go MIA, but because the channels are weaker (the non-DD cannot hang out in our private club d-private) and the interest in staying friends is perhaps also weaker (chances are higher that a not-yet-DD loses interest in the staying with the project due to a verbal fight than a DD who has the community to loose if leaving). > > The recently proposed requirements of releasable archs includes that > > all packages must be build by DDs - does that not imply that we rely > > more on those given trust by becoming members of Debian than other > > participants in our community? > > a.) proposed. b.) it should imply it, though reality tells me > differently. Sorry, I don't understand you. Maybe I express myself clumsily in the first place, so let me try again: http://release.debian.org/etch_arch_criteria.html says that "all binary packages need to be built by Debian developers" (and notes that there should really be nothing new in this). Do you agree with my interpretation of the sentence that Debian puts more trust in Debian developers than non-Debian developers? Do you agree with the text or would you rather it was removed? > > Don't get me wrong: I do want more members of Debian. But I like > > some degree of "quality assurance" for those marked as package > > maintainers. > > Don't get me wrong: I don't distrust every Debian member. But I don't > think that the NM process is a "quality assurance" that I would built > trust on. What _would_ you build trust on? As I understand it Debian bases its trust on people in the Debian keyring. and that people only get into the Debian keyring either by proving some basic technical skills and basic knowledge of our shared ideology, or by having being part of the project since the days when such formal access bar was not needed[2]. Here's what I want (if anyone is interested - so far I have only experied hostility when I offer my weird non-sponsoring help to outsiders wanting packages into Debian): A requirement that the Maintainer field always either matches an entry in the Debian keyring or the email ends in "@debian.org" (so that group-maintained packages at Alioth - where at least one in each group must be a DD - is also allowed). A requirement that latest changelog entry must match the person signing the package for upload to the archive. "Uh, but then the non-DD can't prove the skills of packaging for the NM-process," I hear you say. No - just have the non-DD write separate changelog entries so that it is obvious what parts of the work you did and the non-DD did. You should do that anyway! See the changelog of yaird for a good example. Erik van Konijnenburg is the master of the packaging - I have a really hard time finding flaws in his work - but still I take the responsibility of being the official link between Debian and the software, because I am a DD and Erik is not. > So long, > Alfie [still quoteable outside private] great. Will do that (and sorry that I forgot to state similarly in my last couple of posts on d-private. - Jonas [1] http://www.debian.org/doc/developers-reference/ch-beyond-pkging.en.html#s-mia-qa [2] I imagine that in the old days the smaller community could more easily spot social problems when they appear. But that is history. I am more interested in discussing the situation now. [3] But I must admit I have not yet filed a bugreport about this. The package is stock in unstable anyway due to general security concerns (bug#306822), and when someone gets around to look at the source they will no doubt discover this anyway... - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDMZp/n7DbMsAkQLgRAgkIAJwMPNW+iB5pFxOxvMTBu8PEcQicdwCfdG+5 Fm2/rK1rYT0Bz2nJAYRfI0g= =7PoS -----END PGP SIGNATURE-----
