On Saturday 29 July 2006 09:48, Martin Schulze wrote: > Manoj Srivastava wrote: > > > Co-maintainers are much closer to what is being done in a package > > > than joe-random developer. Also, co-maintainership is far less > > > prone to fire-and-forget uploads that hose things, and are nicer to > > > people who feel very strongly about their packages. > > > > Co-maintainerships require communication, and ability and > > desire to share decisions, can result in a culture of "it is someone > > elses problem (neat aphorism in german, I believe)", and if the team > > does not trust one of the members, then things can turn ugly. > > There's a nother problem with team maintained packages. The Security > Team has to work on packages that are team-maintained in sid every > once in a while. Often we want to get in touch with the maintainer > privately before disclosure or before releasing the advisory. > > With team-maintained packages, the maintainer address often points to > a mailing list, so we can't talk to them. Even worse are packages > in whose changelog the entries aren't signed by a real person but > by a list address as well. That's some sort of anonymous maintenance. > > For such packages the Securtity Team has problems reaching a person > to talk to them in time so that we can discuss fixes and prepare > updates. > > The last example I remember is not old and it demonstrated another > problem. We contacted the list address but only got a response after > we've opened a bug report when released the advisory without any > maintainer response. I'm not exactly sure team-maintenance really > helps here...
Good point. If a mailing list is listed in Maintainer:, then I see adding all package co-maintainers to the Uploaders: field, as a possible resolution. Hm, some of these co-maintainers might in fact be non-DD's, but I don't see any problems for the security team to talk to such parties when dealing with the situation described above. Or am I badly wrong about that ? -- pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu> fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
