Kevin Mark wrote: > > The question is, is there a way we can minimize the overhead of integrating > > contributions from folks who aren't (yet) DDs? Given what I see and hear > > from various sponsors, the review of sponsored uploads is already a joke; > ^^^^^^^ > > various sponsors already trust their sponsorees implicitly, so if there's > > already no real review happening, are we better off dispensing with the > > illusion? > The assumtion about a DD is that they can be trusted to upload with only > a neglible risk to the archive.
Yes, and there are various ways to accomplish this, not merely one. For example, some DDs decide they can trust an upstream, and do not review every line of code in a new upstream release, while others do not. You can generally tell the difference; DDs who review every line from upstream tend to maintain fewer packages and take longer to get new upstream releases packaged. They also occasionally spot problems, although if you look at other code review processes, such as debian-release's reviews to accept changes to frozen sofware, it might be fair to say that such reviews tend to miss about as many problems as they catch, and that even the most dedicated reviewers have to give up on meaningful review of certian packages. It's also interesting to compare the number of security holes such maintainers find via their reviews of new versions of their packages with the number of security holes others manage to find by targeted grepping of the whole archive. Similarly, some DDs (myself included), eventually decide they can trust a sponsee, and do not review every line of their patches. > You assert that there is not enough certainty about sponsored uploads > because of the unknown or inconsistent quality of sponsor's reviews. I don't believe that's what he's saying. -- see shy jo
signature.asc
Description: Digital signature
