Re: ELPA update

[Ted Zlatanov]

On Wed, 28 Sep 2011 16:00:04 +0200 Julien Danjou <address@hidden> wrote: 

JD> On Wed, Sep 28 2011, Ted Zlatanov wrote:
>> To that end it would also be nice if we asked committers to sign their
>> contributions with their private GPG key, but I don't know if Bazaar
>> supports that.  If they did, we could have a list of approved public GPG
>> keys for any given package and contributions signed with those could be
>> automatically approved.  This is just a proposal though, I don't know
>> the best way to do it.

JD> I though people having commit access to ELPA were already trusted, since
JD> they got their write access SSH authentified?

Yes, but my proposal would give them automatic approval to their own
packages.  So if you decide to modify someone else's package you will be
able to commit but it won't be automatically approved.  The end result
would be that when you commit a bug fix, it goes out immediately, but if
you commit a new feature to my package, it won't.

>> Most of us don't know how to run a package repository, so maybe we
>> should look at the Debian maintainers' process or ask them if we don't
>> have the local expertise.

JD> Well, there's no manual review of packages already present in the
JD> archive at Debian. Only new packages got reviewed (for licensing issue
JD> mainly).

Yes, but you can't commit changes to someone else's package, can you?
And they don't roll out commits immediately, there's a release process?

Ted