[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suggestion: Time limit for NM process

Sven Mueller <debian@incase.de> writes:

> Come on, the NM process isn't about trust (except for the GPG signature
> part). It's (if that) about skills. And it's about endurance.  I'm not
> saying this is a bad thing, but pretending that the NM process builds up
> trust is just plain wrong.

There is actually a non-trivial correlation between endurance and trust.
If a hypothetical person wished to become a DD in order to do damage, the
amount of time investment required for such an attack is prohibitive for
all but the most determined.

I think NM could be made much faster without a significant change in that
analysis, but don't disregard the correlation completely.  A process that
takes a few months on the average does establish a significantly higher
level of trust than a process that averages only a few days.  Having a
process that takes a significant length of time does tend to filter out
anyone who isn't willing to make a long-term committment, and most attacks
aren't worth that sort of long-term committment in the eyes of the
attacker.

Personally, I think a process shorter than six to nine months elapsed time
from first contact to the project to becoming a DD would be a bad idea,
not just for this reason but because I think asking people to demonstrate
some degree of dedication and on-going effort on Debian before becoming a
DD is quite reasonable and desirable.  Now, first contact doesn't have to
start with the NM application; if someone has been contributing to the
project actively for some time, I have no problem with their application
moving faster once they submit it.

This isn't unusual.  Most free software projects I've been involved with
required a similar ongoing committment of work to be given direct commit
privileges.

In other words, I think NM should possibly be twice as fast as it
currently is (and plan on at least trying to volunteer to be an AM as soon
as my year waiting period is up to do my part), but I don't think it
should be an order of magnitude faster.  I was actually reasonably
comfortable and content with the length of time it took my application to
be processed (about seven months, plus an additional three or four months
of work on Debian before I applied); if we can get all applicants up to
that same level and maintain it, I think we'd be doing fine.

I can also say from personal experience that the task-based T&S checks
Marc did for me were excellent and felt a lot more rewarding than just
answering questions would have been.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: