[Pkg-javascript-devel] lots of requests to join pkg-javascript

[Jonas Smedegaard]

Quoting Ximin Luo (2017-01-05 13:51:00)
> Jonas Smedegaard:
>> Quoting Ximin Luo (2017-01-05 12:53:00)
>>> Pirate Praveen:
>>>> On വ്യാഴം 05 ജനുവരി 2017 04:22 വൈകു, Jérémy Lal wrote:
>>>>> This is great, but is this serious ?
>>>>> Anyone knows what's happening ?
[...]
>>>> I'm taking a packaging workshop at College of Engineering Pune [1].
>>>>
>>>> This is 4th day of the workshop and many have completed their packages
>>>> and are ready for upload.
[...]
>>> Hi, please don't add these people.
>>>
>>> People in the alioth group have read-write access to all 
>>> pkg-javascript git repos as well as shell access on that machine.
>>>
>>> I don't think it's right to give this many people, who show up at an 
>>> event, this level of access without any other requirement. It is too 
>>> dangerous.
[...]
>> We do not in this team have any rules for membership that one must 
>> first prove her worth by packaging outside of Debian, not that they 
>> must use their spare time doing so!
>> 
>> I am concerned if people requesting to join are fully aware what it is 
>> they join, which is why I asked about that.  But I see nothing wrong 
>> with approving people we don't know well.
> > 
> > We must recognize that we have little security fencing the assets of 
> > this team, and treat them accordingly (double-check what you pull, sign 
> > changes you make, etc.).  Making it harder to join this team does *not* 
> > help secure our assets!
> > 
> 
> We don't have hard rules, but we all have our ideas about what is 
> right or wrong. For you, it is a question of "are they aware". For me, 
> I explained it in my other email, and it roughly overlaps with "are 
> they aware".
> 
> The security aspect is just one factor, not the main factor.

Ok, you now tell me that security is not the main factor.

I clearly read your previous email as if security was the main factor 
for rejecting these requests.  For clarity of discussion I shall 
*ignore* the security factor.


> But to give more detail, (a) just because we have "little" security, 
> doesn't mean we have to make it quantitatively worse, which we will do 
> if we add anyone that asks - it adds surface area. And (b) the 
> standards of time and continual maintenance that I described 
> elsewhere, also indicates that a person is careful about their general 
> computing practices, which also helps to not-reduce security - 
> compared to giving access to a random person.

Do I understand you correctly that in your opinion the main factor is 
devotion to continued mainentance?

If so, then we agree on what is "main factor" - but still we disagree on 
how to then deal with it:

It seems Praveen find it reasonable to approve "because they are ready 
to upload their packages", and it seems you find that exact situation 
reason for rejecting.  I find it neither reject nor approve reason.

I welcome into this team any and all persons who feel they are ready to 
*maintain* official Debian packages.  I find it wrong to impose 
restrictions on that, but I want to emphasize _maintain_ - this team is 
*not* the Javascript *contribution* team (there are other methods to 
contribute to Debian in other ways than continuous mainenance).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private