* Jonas Smedegaard: > In a comment to a thread in d-private that I am not allowed to publish, > I wrote regarding packages with non-DDs in the maintainer field: > >> I wholeheartedly want help also from non-DDs, I just see a problem >> relying on someone that we by definition do not (yet) trust.
Just because you encourage someone to provide input, you do not automatically follow any of his advice, trusting him completely. With respect to security updates, we have basically three choices: no action because the sponsoree is not trusted, and no DD comes to the rescue; some DD steps up and fixes the package, without help from someone who is familiar with it (which may or may not lead to a working package with a proper fix); or a DD discusses the issue with the sponsoree and they come up with a solution together (whose security aspect is again reviewed by the appropriate security team). In the latter case, I would prefer if the DD were the sponsor, hence my desire to base security support primarily on DDs, and only on sponsored maintainers if absolutely necessary. However, I understand that this approach could be luxury we cannot afford. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
