Extras Security Policy

Michael Schwendt bugs.michael at gmx.net
Thu Sep 8 09:32:25 UTC 2005

On Thu, 8 Sep 2005 09:04:08 +0200 (CEST), Linus Walleij wrote:

> One of the crucial things involved here is monitoring of upstream in 
> actively used and developed software. One potential problem could be 
> people loosing interest or taking on maintenance of too many packages so 
> that they loose focus.

Surely there are more people interested in those "many packages", who use
them and who could help with "monitoring of upstream". Wrong? Then I don't
know who else would be in the position to decide whether a packager has
not taken package maintenance serious enough. Who monitors the packager?

> Perhaps one could state some cleartext about the responsibilities of a 
> package maintainer, and how to properly resign? I have not seen such a 
> thing yet.

I believe, this is attacking a possible problem from the wrong side.

My experience so far with documents on processes is that every document,
whether short and to the point or long and detailed, is misinterpreted by
at least a few contributors silently. Unclear things are not discussed
until somebody else runs into it, and then the "me too" kind of complaints
are added.

Every bit of prophylactically added bureaucracy increases the hurdle for
volunteers, who are turned off by a long list of documents, obligations
and "responsibilities", which ought to be common sense for a responsible
package maintainer. In my point of view, a packager should not be seen as
a packaging grunt, who processes a given list of todo items (like upgrade
to every minor revision), but as a first-come-first-served voluntary
contributor, who welcomes help from other people (team-work!) and who
most likely would step aside if somebody else proclaimed giving a package
more love.

As "how to properly resign", well, of course a contributor would notify
fedora-extras-list or even fedora-maintainers list and announce packages
as unmaintained and they would be tracked in the Wiki as before. Does it
need more bureaucracy than that already? The next step will be to
eliminate old unmaintained packages from the repository and to
disable/delete them within CVS.

More information about the fedora-extras-list mailing list