[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Appreciating developers

Dear all readers of debian-devel!

Just a note to the list to record some thoughts I had after receiving
a really nice personal email from a Debian user....

Over the last month or so, I put in a relatively huge amount of work
into upgrading Christoph Lameter's superb devscripts package, among
other things, bringing it into the desirous state of "bug-free and
lintian-clean".  For a relatively small package with 12 outstanding
bugs, some requiring major rewrites to fix, that was no menial task.

A natural state of affairs of any newly-released software package is
that it will contain bugs.  I was fully expecting that.  Joey Hess
asked -- totally reasonably -- whether I had taken care of potential
/tmp exploits.  When I had read the Bugtraq thread on things never to
put in root's crontab, I understood that for root to delete files in
/tmp is potentially very dangerous.  I therefore made sure that root
would not be able to execute those programs in devscripts which might
suffer from that problem.  I had not understood the other potential
problem of a malicious user putting in a nasty symlink in /tmp to one
of the _user's_ files.  I'm not a trained computer security
specialist, and I doubt that many Debian developers are.  However, I
have a good memory, and now that I know of this problem, I will
endeavour to ensure that my future packages do not suffer from it.

The other things about this episode worth noting are that I had released
version 2.0.3 within about 24 hours of releasing version 2.0.0 -- I
too take security seriously, and acted quickly to attempt to fix the
problems.  This bug was also a very long-standing bug which had never
been reported; I took it upon myself to release a patched version to
frozen to fix this.

What really upset me about the whole episode is that once Joey had
innocently asked me about the /tmp problems on -devel, it seemed to
signal the start of a flame war against me.  Without intending to
accuse anyone in particular, as that is only appropriate for personal
discussion in my opinion, I want to point out that I, and I presume
the same applies to almost all of the other developers, am a developer
for Debian out of choice, because I care about free software, because
I believe I have a skill which can be used for the greater good,
because I like to be part of a community, and, ultimately, because
it's good fun.  *Nothing* forces anyone to remain a developer, and
even less (!) forces anyone who is to do more than release upstream
upgrades suitably packaged.  And to be flamed for making a few genuine
mistakes is not likely to encourage someone to remain a developer.

Would not a better social policy be for emails to mailing lists
pointing out such errors to begin with some sort of praise or
appreciation, such as "Thank you so much for all the hard work you
have obviously put in to fixing up this package.  Have you remembered
XYZ, though?"  Yes, it takes 20 seconds longer to write such emails,
but the result might be a much happier, friendlier, productive,
encouraged team of developers.  And I would encourage all mails of
this nature to begin with a positive comment like this -- EVEN IF YOU
YOURSELF DON'T BELIEVE IT!!  You don't know what positive effect it
might have on the recipient, or even on you.

In the meantime, I have some more packages to get to work on.  I hope
this provides food for thought.

   Julian

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

            Julian Gilbey             Email: J.D.Gilbey@qmw.ac.uk
       Dept of Mathematical Sciences, Queen Mary & Westfield College,
                  Mile End Road, London E1 4NS, ENGLAND
      -*- Finger jdg@goedel.maths.qmw.ac.uk for my PGP public key. -*-
Reply to: