[Pkg-javascript-devel] lots of requests to join pkg-javascript

Ximin Luo infinity0 at debian.org
Thu Jan 5 12:51:00 UTC 2017 

Jonas Smedegaard:
> Quoting Ximin Luo (2017-01-05 12:53:00)
>> Pirate Praveen:
>>> On വ്യാഴം 05 ജനുവരി 2017 04:22 വൈകു, Jérémy Lal wrote:
>>>> This is great, but is this serious ?
>>>> Anyone knows what's happening ?
> 
>>> I'm taking a packaging workshop at College of Engineering Pune [1].
>>>
>>> This is 4th day of the workshop and many have completed their packages
>>> and are ready for upload.
>>>
>>> https://lists.debian.org/debian-dug-in/2016/12/msg00001.html
>>>
>>> Initially some sent requests before I told them to give details about
>>> their package. So please approve if the information is complete.
>>>
>>
>> Hi, please don't add these people.
>>
>> People in the alioth group have read-write access to all pkg-javascript git repos as well as shell access on that machine.
>>
>> I don't think it's right to give this many people, who show up at an event, this level of access without any other requirement. It is too dangerous.
>>
>> I have rejected these requests and removed these people until they package a second package *in their own spare time* outside of an event. In the meantime, they can push their packages on github, this is adequate for a sponsored upload to Debian.
> 
> I disagree with that approach, Ximian:
> 
> We do not in this team have any rules for membership that one must first 
> prove her worth by packaging outside of Debian, not that they must use 
> their spare time doing so!
> 
> I am concerned if people requesting to join are fully aware what it is 
> they join, which is why I asked about that.  But I see nothing wrong 
> with approving people we don't know well.
> 
> We must recognize that we have little security fencing the assets of 
> this team, and treat them accordingly (double-check what you pull, sign 
> changes you make, etc.).  Making it harder to join this team does *not* 
> help secure our assets!
> 

We don't have hard rules, but we all have our ideas about what is right or wrong. For you, it is a question of "are they aware". For me, I explained it in my other email, and it roughly overlaps with "are they aware".

The security aspect is just one factor, not the main factor. But to give more detail, (a) just because we have "little" security, doesn't mean we have to make it quantitatively worse, which we will do if we add anyone that asks - it adds surface area. And (b) the standards of time and continual maintenance that I described elsewhere, also indicates that a person is careful about their general computing practices, which also helps to not-reduce security - compared to giving access to a random person.

X

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git

More information about the Pkg-javascript-devel mailing list