Security Response Team / EOL
pertusus at free.fr
Sat Apr 29 10:28:24 UTC 2006
> do the right thing, this enters the old loop of asking: What do we aim at
> anyway? It would be a promise that we believe the packagers do the right
> thing. It's not individuals who promise something, it's the entire FE
> project which makes the promise. And when we do that, users should also be
> able to rely on the project to maintain the full set of packages when a
> packager doesn't respond [in time] or when a package is officially
> orphaned. This brings us back to a security response team of
You set the requirements for the fedora extras project quite high. So in that
case we should try to add as little packages as possible.
> volunteers. It simply doesn't work to let some packagers extend a legacy
> branch with new packages when that might result in increased maintenance
> requirements for the rest of the project either immediately or some time
Ok, but it also apply to new packages. I think it changes a little the scope
of the fedora extras project, in my opinion. Not that I think that it is
a bad idea, and indeed having such a goal would avoid the 'dumping ground'
But it implies a change in the process of acceptance of new packages.
Indeed if a goal is 'support every package, and substitute to packagers
when they leave' then a packager should take into account the burden
he may leave to the whole project when he leaves, and that changes a lot
the rules of the game. If this is agreed, for example, the packages providing
duplicate functionnalities should be avoided unless there is a very good
reason. Also complex packages that are hard to maintain should be avoided.
And another thing that could be nice in that case would be to search for
co-maintainers when the package is reviewed, and only accept if there are
enough people ready to takeover if the packager leaves, and verify that
there is no potential co-maintainer who accepts to be a fail-over for too
much projects as the same time. And maybe also it would be good if the
acceptance of new fedora extras member would be conditional on them
accepting to be fail-over maintainer for existing packages, especially
those with few failover packagers.
If there aren't such changes in guidelines/procedures/institutions, we
won't be able to achieve the reuirements you propose above.
More information about the fedora-extras-list