Re: Proposal for an Emacs User Survey

[Jean Louis]

* Drew Adams <drew.adams@oracle.com> [2020-10-19 18:48]:
> > MELPA to a large part consists of a database of "recipes", one for each
> > package that it builds and distributes. This tag can be put inside
> > recipes, and thus be controlled by MELPA maintainers, and not by the
> > packages authors themselves.
> > 
> > If we provide some well-defined criteria for such tags, and pick a
> > neutral-enough name, I don't see why the MELPA maintainers (who are
> > quite reasonable people IME) wouldn't go for it.
> 
> Just a minor comment/question about this, which
> I think would be the first time such a thing
> would be happening:
> 
> Do we really want to set a precedent that
> someone other than the code author fiddles with
> their code, adding comments or whatever?
> 
> Sure, the maintainers of a repo are, in a way,
> administrators.  But should such administrators
> be changing source code?  Adding other code or
> whatever, to administer, label, treat, etc. the
> code is, at least conceptually, different from
> changing the source code itself.
> 
> No, adding a field/tag in a comment is not a big
> deal.  And yes, GPL code is open to modification.
> 
> Still, is this a good door to open?

That is similar to how many GNU/Linux software packages are
maintained, often they are modified before such enter distribution for
final users.

I do not care if package is original, not original, forked or not
forked, modified, what I care is which group of people is making it
trusted and by which principles.

If nobody is making package verifications by looking into it, then
such package is not trusted to me, with or without PGP signature, it
does not matter any more.

That is why some GNU/Linux distributions have so many maintainers,
each is responsible for some packages, there is no warranty, but there
is some implied moral obligation at least. Some OS like OpenBSD have
better security policies, they verify the code for security, not just
package and wrap it for delivery.