The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new maintainers

Good morning pholx,

Debian GNU/Linux was the only _open_ and _free_ distribution for
years.  This is one of our benefits.  We should try to let this be.

By this fact it is clear that we are also open for attacks and trojan
horses.  As Debian GNU/Linux is used on important places (take the
space mission as an example[1]) we are urged to make sure that we
don't get compromised.  For sure this collidates with our open policy.

Therefore we have to find a way to get out of this dilemma without
moving to a closed distribution.  Debian wouldn't be what it is today
if we had started as a closed team of maintainers in which is is
difficult to join.

When I started joining the Debian project, I read a notice that
in general everyone can join the project and and provide packages.
But evey new maintainer was urged to contact Bruce to tell him what he
wants to do.

At this point I'd like Debian introduce some guidelines for new
maintainers.  For sure in the same document we have to explain, why we
have to be cautious about new maintainers.  We have to make sure that
no one will interpret our behaviour as 'Debian is moving to be a
closed group'.

We have the address new-maintainer@debian.org - one designated member
of the bod or another designated active person should react here.

I could think of the following steps:

  o Every new maintainer has to introduce himself, explaining how
    (s)he wants to support the project.

  o We need a possibility to identify new maintainer as the person who
    they say they are[2].  This could also be done by some developers,
    i.e. on a travel through the country, one can also explain the
    Debian project in RL.  Anyway the service that Thawte will provide
    to us is also desired.

  o New packages released by this maintainer are put on a grey-list

  o If a maintainer vouches for the new person (i.e. I vouched for
    Soenke Lange and Thomas Koenig) it's ok for us.  If someone is
    distrustful about this particular person, put her/his packages on
    the grey-list either

  o A designated maintainer watches all packages on this list for a
    defined period - half a year?  Additional perhaps the maintainer
    should be watched, too?

  o If the package is compromised it has to be deleted. (the
    designated maintainer must have permission to do so)

  o Concerning our servers provided by some companies/institutions: If
    a maintainer trys to screw the system up (s)he has to be excluded
    there.

[1] By the way, the german unix magazine, iX, has published a small
    note (1/8 page).

[2] There exist several attempts to introduce Certification
    Authorities and Trust Center.  There are DFN-PCA
    (http://www.pca.dfn.de/dfnpca/) and the IN-CA
    (http://www.in-ca.individual.net/) projects in Germany.  I'll
    make a press release concerning the latter in a few minutes. There
    are some more Certification Authorities around the world
    (http://www.pca.dfn.de/eng/team/ske/pem-dok.html#CA).

Best regards,

	Joey

-- 
  / Martin Schulze  *  joey@infodrom.north.de  *  26129 Oldenburg /
 /                 Beware of bugs in the above code; I have only /
/          proved it correct, not tried it.  -- Donald E. Knuth /