On Thu, Sep 6, 2012 at 10:28 AM, Duncan Coutts wrote: On 5 September 2012 20:22, Erik Hesselink Also, we haven't had a single problem that I'm aware of on Ross
Paterson's
watch as bouncer for Hackage 1. The point I'm trying to make is that
a
technical solution imposes additional administrative and technical
overhead
whereas social processes can also be very effective while also handling
corner cases more gracefully. I don't see how a technical solution (which is already implemented, by
the way) introduces *more* overhead than a manual solution. Also, the
fact that we haven't had any problems doesn't mean we won't in the
future. We don't have to wait before something goes wrong to fix it. As I think you know, I'm definately in favour of the per-package
maintainer group stuff. Let me make one more argument: even if we don't in practice have
problems with people uploading packages they shoudn't, it'll make
everyone *feel* better (that is, package maintainers and users). We do
get a bit of stick for the current lack of security (not just this
issue but about the lack of tamper profing / detecting). Additionally, if you decide that you would prefer to allow anyone to
upload without having to get manual approval to be in the uploader
group, then the per-package maintainer group becomes very useful. You
could have more or less a free for all in uploading new names, but
nobody can subvert existing names. (We would still have the problem of people taking all the good package
names for crappy packages, but that's another issue) I understand we're not planning on importing the accounts from the old
server. Could someone explain the issue there? I'd assumed we'd do
that for a smoother changeover (and to set up the initial maintainer
groups). Duncan I'm a little bit confused on the exact set up. The uploaders group seems to
be roughly the same thing as the trustees group. (Except uploaders has an
AND relationship with per-package groups as far as membership requirements
for upload, and trustees has an OR relationship).
To my knowledge, It's technically possible to import the old accounts.
Matt