[D-m-team] Cleaning Uploaders -- a mistake?

Anthony Towns aj at azure.humbug.org.au
Thu Jan 17 08:35:42 UTC 2008 

On Thu, Jan 17, 2008 at 07:36:03AM +0100, Daniel Leidert wrote:
> Yes, of course. But the problem is, that DMs can hijack and NMU other
> DM-upload-allowed packages (that's what Damian was referring to). Or are
> there limitations I forget?

They can't do NMUs or hijack packages -- they can only upload packages
they *already* maintain, as indicated by the Maintainer:/Uploaders: field.

> So my question is if DM upload rights, currently limited by being listed
> in Maintainers/Uploaders, having a key in the DM keyring and a sponsored
> upload setting XS-DM-Upload-Allowed to yes, should be bound to a per-DM
> package list, 

There's already a per-DM package list, it's just that it's derived:

	grep-dctrl -s Package -F Maintainer,Uploaders "$DM" $SOURCES

For Xavier, that looks like:

	Package: libauthen-simple-cdbi-perl
	Package: libauthen-simple-dbi-perl
	Package: libauthen-simple-dbm-perl
	Package: libauthen-simple-http-perl
	Package: libauthen-simple-kerberos-perl
	Package: libauthen-simple-ldap-perl
	Package: libauthen-simple-pam-perl
	Package: libauthen-simple-passwd-perl
	Package: libauthen-simple-perl
	Package: libauthen-simple-radius-perl
	Package: libauthen-simple-smb-perl
	Package: lisaac
	Package: magicor
	Package: mirage
	Package: moodle-debian-edu-theme
	Package: vym

For people who're actually DMs, and limited to just DM-Upload-Allowed
packages, it looks like what's at:

	http://ftp-master.debian.org/dm-uploaders.html

> so other DMs cannot hijack nor NMU other DM-enabled packages. 

It's not hijacking or NMUing if you're uploading a package you maintain...

For example: it would not be a hijacking or an NMU for Xavier to upload
any of the above packages right now -- either directly if he were
accepted as a DD right now, or indirectly if someone not involved with
one of those packages sponsored an upload.

If the co-maintainers of those packages think that's not okay, then Xavier
probably shouldn't be listed as Maintainer/Uploader of those packages
(or the co-maintainers should talk to each other and Xavier enough to
realise that it is okay).

I'm not sure what definitions you're using, but if it helps, the ones
I'm used to are:

    NMU -- uploading a package that doesn't have you listed in the 
           maintainer or uploaders field

    hijack -- an NMU that changes the Maintainer/Uploaders
              field (usually adding the NMUer and removing the existing
              maintainer) without the existing maintainer's agreement

It's not possible for a DM to do either of these things, already.

(The upload removing Xavier from Uploaders is close to a hijacking by
that definition, though give it's all under the perl team banner anyway,
not that big a deal)

Fundamentally, if someone shouldn't be maintaining a package, they
shouldn't be listed as Maintainer: or amongst the Uploaders: -- if you've
been using those fields for something else, that's mostly ok, but they
do need to be limited to that purpose when you set the DM-Upload-Allowed
field. If it's recognition of work done, the changelog or copyright file
("Initial packaging by Bob Smith.") are a better bet.

For comparison, dak has always used "is the person in the .changes file
present in Maintainer: or Uploaders:" as the determining factor for
"is this an NMU?". I don't think that affects anything but DM now; it
used to affect whether dak would close bugs or tag them fixed. At some
point it might be used to enforce NMU version numbers for NMUs, I guess.

If you've got people who regularly do uploads of a particular package,
it's easy -- they stay in the Maintainer:/Uploaders: field and do most
of the work on the package and most of the uploads. This is fine for
DMs or DDs.

If you've got people who regularly tweak different packages maintained
by the team, then team members could:

	- just add their changes to the team repository on alioth/etc, and
	  let someone else upload later (fine for anyone in the team)

	- commit changes in the team repo and upload straight away
	  (only fine for DDs)

	- upload changes to arbitrary packages that have been previously
	  committed (only fine for DDs)

	- upload changes to a particular package that have previously
	  been committed (fine for DDs or DMs)

All a bit stream of consciousness I get, I hope some of it's helpful.

Cheers,
aj

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/d-m-team/attachments/20080117/4b030cb7/attachment-0001.pgp

More information about the D-m-team mailing list