Excerpts from Ian Jackson's message of 2017-12-12 15:38:29 +0000: > The work of reviewing each source file, first by the maintainer, and > then by ftpmaster when auditing, would still have to be done, I think. > > Or do you think we can avoid both the maintainer and then ftpmaster > looking at every source file ? > > Do you think the work of writing down the source-file-by-source-file > information (ie, the result of the maintainer's copyright review and a > main input to the ftpmaster review) is wasted ? >
Until we ask the ftpmasters to review every single source change, or to spot check non-NEW changes, it is indeed a wasted effort to produce this report for only the first time a particular source package enters the archive. It makes very little sense that NEW is this huge hurdle, but NEW+1 binary uploads are just a gpg signature away from unstable. I believe we agreed to follow the rules when we became DD's. We also assert what policy version we build our packages under when we upload them. While I do think ftp masters _should_ spot-audit these uploads, I don't think debian/copyright should be required to be 100% comprehensive. Trying to make it so for MySQL 5.5 was a huge waste of my time, and I vowed never to do it again. An auditor can look for inconsistencies, and gross ambiguities. But if there's a tarball of source, and a debian/copyright file that asserts the licenses and any required copyright notices for said files, that should be enough. A brief check to make sure none of it smells fishy is hopefully sufficient due-diligence to ensure that Debian is safe to redistribute.
