Giving upload rights to non-Ubuntu members
Dave Walker
davewalker at ubuntu.com
Thu Jul 25 07:34:59 UTC 2013
On 25 July 2013 02:42, Scott Kitterman <ubuntu at kitterman.com> wrote:
> On Thursday, July 25, 2013 02:17:21 AM Mark Shuttleworth wrote:
>> On 23/07/13 23:36, Iain Lane wrote:
>> > I'm not sure what additional/different quality control would be
>> > necessary. Is your concern that by not being Ubuntu members these folk
>> > don't have skin in the game and therefore might be less careful in
>> > their work in Ubuntu? I think that a necessary component of any
>> > successful application to the DMB should be that the board satisfies
>> > itself of the individual's technical competence and trustworthinesss.
>> > Beyond that, both members and non-members can screw up and we (the
>> > developer community at large) would deal with either in the same way.
>> > Cheers,
>>
>> Accepted that mistakes happen, and our governance should not aim for a
>> false sense of security.
>>
>> My main thought was that we always want to ensure that there are active
>> forces steering things in the right direction. My concern would be, if a
>> person 'leads' a packageset and gives another person permission to
>> upload, who then drifts away, that we may be vulnerable to a social
>> attack if their keys were compromised. The Forums hack seems to have
>> been exactly this - one admin gave another access years ago, and then
>> that'caused an issue today.
>
> The packagesets where we thought we MIGHT make membership optional are not
> ones related to the various flavors and none of them are ones that have
> delegated authority to make people developers. There are packagesets that are
> a matter of administrative convenience, e.g. instead of PPU for 5 related
> packages, here's a small packageset that we'll let you upload to. For these
> kinds of cases, PPU for X packages or create a packageset is only an
> adminstrative difference.
>
> As a practical matter, I expect this new option to primarily apply to Debian
> developers that are someone interested in their packages in Ubuntu, but not
> making a major commitment to it. If their keys get compromised we're in
> trouble whether they have upload rights to Ubuntu or not.
>
> Scott K
>
In this given scenario, do we have a list of occasions where Debian
developers wanted to make a change and were unable (or unwilling?) to
find sponsorship for their package?
It feels like the burden of requesting upload access is heavier than
that of finding a sponsor, but this is based on my assumptions that
could well be invalid. Either way, it would be good to add support
based on documented evidence.
If we make it easier for DD's to get upload access, then I fear we
reduce our quality control that DMB currently provides which ensures
that the potential uploader has a good understanding of the Ubuntu
ecosystem. To me, it feels that the criteria of ~ubuntu-membership is
a reasonable standard to measure this.
--
Kind Regards,
Dave Walker
More information about the technical-board
mailing list