Hackage 2

[Duncan Coutts]

On 5 September 2012 20:22, Erik Hesselink <hesselink at gmail.com> wrote:

>> Also,  we haven't had a single problem that I'm aware of on Ross Paterson's
>> watch as bouncer for Hackage 1.    The point I'm trying to make is that a
>> technical solution imposes additional administrative and technical overhead
>> whereas social processes can also be very effective while also handling
>> corner cases more gracefully.
>
> I don't see how a technical solution (which is already implemented, by
> the way) introduces *more* overhead than a manual solution. Also, the
> fact that we haven't had any problems doesn't mean we won't in the
> future. We don't have to wait before something goes wrong to fix it.

As I think you know, I'm definately in favour of the per-package
maintainer group stuff.

Let me make one more argument: even if we don't in practice have
problems with people uploading packages they shoudn't, it'll make
everyone *feel* better (that is, package maintainers and users). We do
get a bit of stick for the current lack of security (not just this
issue but about the lack of tamper profing / detecting).

Additionally, if you decide that you would prefer to allow anyone to
upload without having to get manual approval to be in the uploader
group, then the per-package maintainer group becomes very useful. You
could have more or less a free for all in uploading new names, but
nobody can subvert existing names.

(We would still have the problem of people taking all the good package
names for crappy packages, but that's another issue)

I understand we're not planning on importing the accounts from the old
server. Could someone explain the issue there? I'd assumed we'd do
that for a smoother changeover (and to set up the initial maintainer
groups).

Duncan