Steve McIntyre wrote: > In this particular case, the problem is much worse than just a single > bug in a package - it's a total failure in the sponsorship > system.
From what Ramakrishnan and other sponsors wrote on this thread, it
sounds like Kartik was a frequent and active sponsee who did a lot of
uploads. My experience with sponsoring such people is that you come to
trust that they know what they're doing, and over time review their
packages less thuroughly before sponsoring. You still run lintian each
time, but you don't go looking for absurd lintian overrides[1]. You still
download pristine source for new releases from upstream, but you don't
examine every line of the sponsor's diff for potential backdoors. I
think this is only human nature, and it parallels how we treat upstreams
too (few developers review every line of the *upstream* changes for
potential backdoors..).
So to some extent it's understandable that the package got through
sponsorship.
--
see shy jo
[1] I'm definitly going to add lintian --show-overrides to my own
sponsorship process.
signature.asc
Description: Digital signature
