ACL removal day?!

[Christopher Aillon]

Rahul Sundaram wrote:
> The need for ACL's by default that restrict the package to only the 
> package maintainers is not clear and package maintainers are not aware 
> that ACL are added by default to their packages. If it is explicitly 
> documented that ACL's are added by default that solves the latter 
> problem.

So let's document it.

> I would prefer that ACL are only added if explicitly requested 
> since having a common pool allows some of the work (mass rebuilds, 
> rebuilds for soname bumps, resolving conflicting files in between 
> packages, E-V-R issues, security problems etc) to be shared by other 
> package maintainers interested in maintaining the quality of the 
> repository on the whole.

Do you mean if explicitly requested or if explicitly requested and they 
manage to convince $acl_giving_body.  I imagine that this is going to 
turn into a government-like regulatory thing where people are going to 
make maintainers feel bad for even thinking about adding an ACL.  We'd 
need this to be no-questions-asked IFF we do this.

But a better question is: why are we trying to be different from the way 
every open source project works?  You typically get commit access to 
what you need.  I have access at freedesktop.org to a few select modules 
that I work on, but not to the whole of fd.o.  Likewise, even at 
mozilla.org, I have access to a big chunk of stuff because I've proven 
myself to be good there, but I don't have access to some stuff such as 
the JavaScript engine or NSS for example.  I'm not sure where "fills out 
a form" is the same as "competent enough to have open access to every 
package in the repo".  They may overlap in some cases, but please keep 
in mind that this is not about freedom.  This is about trust, security, 
and integrity of the project.