Rahul Sundaram wrote:
The need for ACL's by default that restrict the package to only the package maintainers is not clear and package maintainers are not aware that ACL are added by default to their packages. If it is explicitly documented that ACL's are added by default that solves the latter problem.
So let's document it.
I would prefer that ACL are only added if explicitly requested since having a common pool allows some of the work (mass rebuilds, rebuilds for soname bumps, resolving conflicting files in between packages, E-V-R issues, security problems etc) to be shared by other package maintainers interested in maintaining the quality of the repository on the whole.
Do you mean if explicitly requested or if explicitly requested and they manage to convince $acl_giving_body. I imagine that this is going to turn into a government-like regulatory thing where people are going to make maintainers feel bad for even thinking about adding an ACL. We'd need this to be no-questions-asked IFF we do this.
But a better question is: why are we trying to be different from the way every open source project works? You typically get commit access to what you need. I have access at freedesktop.org to a few select modules that I work on, but not to the whole of fd.o. Likewise, even at mozilla.org, I have access to a big chunk of stuff because I've proven myself to be good there, but I don't have access to some stuff such as the JavaScript engine or NSS for example. I'm not sure where "fills out a form" is the same as "competent enough to have open access to every package in the repo". They may overlap in some cases, but please keep in mind that this is not about freedom. This is about trust, security, and integrity of the project.
-- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers -- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
