ACL removal day?!

[Rahul Sundaram]

Christopher Aillon wrote:
> Do you mean if explicitly requested or if explicitly requested and they 
> manage to convince $acl_giving_body.  I imagine that this is going to 
> turn into a government-like regulatory thing where people are going to 
> make maintainers feel bad for even thinking about adding an ACL.  We'd 
> need this to be no-questions-asked IFF we do this.

I don't think ACL requests by package maintainers need to be regulated 
as long as some groups which really need them get access as outlined in 
my other mail. I would really like to have maintainer's explicitly 
document the need for ACL's on their packages. There is a balance 
between security, critical nature of a package vs benefits of shared 
work via more open access. On some packages such as the kernel or glibc 
I think it is clear that ACL's are justified but it might be more 
appropriate to special case such packages instead of restricting ACL's 
by default.

> But a better question is: why are we trying to be different from the way 
> every open source project works? 

I don't think we are all that different. Comparing individual projects 
to a distribution which needs to integrate thousands of packages 
together doesn't seem to work well but if you do compare other 
distributions there are is some similarities in the sense that there is 
a group of people who share the work across the repository or a smaller 
subset. Debian has FTP masters and NMU's. Gentoo has herds and so on.

Also note that what is being discussed is not a entirely new change and 
Fedora Extras had always had open access to package maintainers and we 
haven't had any security or integrity issues with that.

Rahul