Bug#1020923: tech-ctte: please clarify if atomic updates are required

[Sean Whitton]

Hello Sam,

Speaking only for myself.

On Thu 29 Sep 2022 at 03:31PM -06, Sam Hartman wrote:

> Is the maintainer expected to find a forum and try to build consensus on
> this issue?

I don't think they are.

> In various ways the submitter has argued that those proposing to
> continue the transition have an obligation to respond to his concerns.
> To what extent is that true under our process?

It seems to me that if the submitter was writing as a package
maintainer, or otherwise raising the issues as part of work he was doing
on Debian, there would be some sort of obligation, but I don't believe
either of those are true.

> From a process standpoint, to what extent should this bug block the
> transition if the maintainer doesn't want it to.

Not at all, unless the RT or TC think otherwise.

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#1020923: tech-ctte: please clarify if atomic updates are required

[Sam Hartman]

> "Sean" == Sean Whitton  writes:

>> 
>> * Who is expected to drive further discussion: the maintainer or
>> the bug submitter

I guess I don't really see how the above is broad.
But let me try and narrow it.
Is the maintainer expected to find a forum and try to build consensus on
this issue?
In various ways the submitter has argued that those proposing to
continue the transition have an obligation to respond to his concerns.
To what extent is that true under our process?

>> 
>> * What is the state until that further discussion happens?

To narrow this.
>From a process standpoint, to what extent should this bug block the
transition if the maintainer doesn't want it to.

I'm happy to narrow these down, but   my main point is that we together
can save a lot of pain for everyone involved if to the maximum extent we
have consensus on what the process options are, we clarify that as we
close the TC bug.

It maiy not strictly be the TC's job, but I think it's our job as Debian
developers to try and be helpful and save the whole community pain when
we can.

Bug#1020923: tech-ctte: please clarify if atomic updates are required

[Sean Whitton]

Hello,

On Thu 29 Sep 2022 at 10:16AM -06, Sam Hartman wrote:

> I think it would help the current situation if the TC would clarify the
> state of the bugs if they choose not to take up this issue at this time:
>
> * Who is expected to drive further discussion: the maintainer or the bug
>   submitter
>
> * What is the state until that further discussion happens?

These are very broad questions ...

> My understanding of our processes is that:
>
> 1) If the bug submitter disagrees with the maintainer they need to
> drive discussion.  If the TC isn't ready they could drive that
> discussion debian-devel or some other forum.
>
> 2) Unless the TC or RT explicitly acts, the maintainer's severity
> (wishlist in this case) stands.

... but at least what you've said here seems correct to me.

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#1020923: tech-ctte: please clarify if atomic updates are required

[Sam Hartman]

> "Russ" == Russ Allbery  writes:
Russ> Unfortunately, with this current set of bugs, it seems
Russ> unlikely that we're going to manage to make everyone happy in
Russ> the short term, which means there's going to be a tense period
Russ> where some folks feel strongly that we're doing this wrong.
Russ> But more discussion, unless it's about truly new approaches,
Russ> often makes that kind of situation worse rather than better.
Russ> We may have to just uncomfortably sit with the disagreement
Russ> for a while and incrementally work our way out of it.

I agree with all of what Russ says especialliy the above.

I think it would help the current situation if the TC would clarify the
state of the bugs if they choose not to take up this issue at this time:

* Who is expected to drive further discussion: the maintainer or the bug
  submitter

* What is the state until that further discussion happens?

My understanding of our processes is that:

1) If the bug submitter disagrees with the maintainer they need to
drive discussion.  If the TC isn't ready they could drive that
discussion debian-devel or some other forum.

2) Unless the TC or RT explicitly acts, the maintainer's severity
(wishlist in this case) stands.

I really think that if the TC chooses to close this bug, either
confirming I'm right on those issues or explaining where I've got it
wrong will help a lot.
If we're going to be sitting with a bit of discomfort while our
processes and our discussions work themselves out, let us at least not
have more disagreement on what those processes are than we need.

--Sam


signature.asc
Description: PGP signature

Bug#1020923: tech-ctte: please clarify if atomic updates are required

[Russ Allbery]

Not a TC member so just jumping in from the outside with a personal
opinion, which everyone should take or leave as they see fit.

Gunnar Wolf  writes:

> I know that if I suggest you to bring the issue to d-devel@l.d.o it will
> fuel a flamewar, but I see no other proper way to handle _this
> particular mail_. Maybe the request could be phrased differently, in a
> way it could encompass this bug report (i.e. "ask the TC whether we
> might use sloppy techniques when upgrading, considering the risks we
> take as acceptable" (of course, I don't mean your job is sloppy, it's
> just an example text that will not be accepted if asked )

I think it's also worth noting that the default assumption in Debian is
that the package maintainer sets the priorities of bugs and work on that
package, and also that, as always in Debian, no one requires that you do
work, only that people do not block other people's work.

So if you don't believe this is a significant risk, or if you think other
Debian work is more important, you are, as always, empowered by Debian to
act accordingly.  You can deprioritize the bug and do the work that you
think is important.

If someone else disagrees and thinks this needs to be immediately
addressed, the onus is on them to either concretely propose a fix that's
acceptable to you and take responsibility for rolling out that fix,
escalating to the TC if they can't find a fix acceptable to you, or taking
some other proactive action like fixing their problem in another package.
You are not required to do that proactively when you don't think it's
warranted.

You've done the bug triage, and you don't agree with the bug submitter,
and you're applying what you view is appropriate prioritization.  That's
really all Debian asks you to do.

I know we're in a very awkward place right now because we have some
project-wide bugs where there is serious and deep disagreement over where
those bugs should be fixed, so everything feels larger and more
significant than a regular bug.  And in a way I suppose that's true, but I
think one good way to navigate such situations is to fall back on our
process and let the process work itself out.

Unfortunately, with this current set of bugs, it seems unlikely that we're
going to manage to make everyone happy in the short term, which means
there's going to be a tense period where some folks feel strongly that
we're doing this wrong.  But more discussion, unless it's about truly new
approaches, often makes that kind of situation worse rather than better.
We may have to just uncomfortably sit with the disagreement for a while
and incrementally work our way out of it.

-- 
Russ Allbery (r...@debian.org)  

Bug#1020923: tech-ctte: please clarify if atomic updates are required

[Gunnar Wolf]

Hi Ansgar,

Ansgar dijo [Wed, Sep 28, 2022 at 10:18:26PM +0200]:
> Any package relevant for successful boot. Any upgrade.
> 
> As far as I can tell, the submitter requires some guarantees
> significantly stronger than what Debian requires for essential
> packages.
> 
> In particular, boot-relevant packages are demanded to work in
> unconfigured state, with not fully satisfied dependencies (possibly not
> even unpackaged?), in partly unpackaged states, after maintainer script
> errors, and all of that in combination with system crashes that might
> result in partly written data to filesystems. And possibly in other
> interesting system states too.

Humm, as the maintainer for raspi-firmware, this definitively
addresses an area where I'm responsible. So this is naturally
interesting for me even outside my TC role.

There is a point I somewhat agree with Bug#1020920's submitter:
Packages modifying the packages involved in system boot need to be
extra careful to reduce the window of vulnerability for an unbootable
system as much as possible.

However, no matter how careful we are, I do not think it's expectable
that we can guarantee the atomic interaction mode Zack W. suggests —
There is no syscall matching "rename and create a symlink". And even
if we had one, it would most probably still become two separate
filesystem operations in the end. Of course, the supported
filesystems' code could be modified so that said operation sequence
could be added to the journal beforehand, so they can be effectively
considered as atomic, but...

That's quite an unrealistic expectation. We cannot expect to implement
actions not expressable in the set of primitives Linux exposes to
us. We cannot expect a (quite invasive I'd expect) kernel patch to be
applied just because we want to run usrmerge.

> > (2) The TC is a decision-making body of last resort.  The bug you
> >     mention was filed today.  Might this be premature?
> 
> Well, if we close it or don't act on it, people will complain and/or
> demand to remove us from Debian for not acting on it (the latter might
> be limited to people just sitting on their porch).
> 
> The other tech-ctte bug about usrmerge also suggested it would just end
> up here either way.

There is a high chance we might end up getting this bug in the TC,
given the spirits we have seen around merged-/usr. However, I agree
with Sean: This bug is too early to summon the TC.

I know that if I suggest you to bring the issue to d-devel@l.d.o it
will fuel a flamewar, but I see no other proper way to handle _this
particular mail_. Maybe the request could be phrased differently, in a
way it could encompass this bug report (i.e. "ask the TC whether we
might use sloppy techniques when upgrading, considering the risks we
take as acceptable" (of course, I don't mean your job is sloppy, it's
just an example text that will not be accepted if asked )

So... I'm also inclined to ask you to please close this TC bug, as it
is not acceptable for a TC ruling. (Also, how many rulings does it
make sense for the TC to hold on the same tired topic of merged-/usr?)

Greetings,

- Gunnar.


signature.asc
Description: PGP signature

Bug#1020923: tech-ctte: please clarify if atomic updates are required

[Ansgar]

On Wed, 2022-09-28 at 13:05 -0700, Sean Whitton wrote:
> On Wed 28 Sep 2022 at 08:00PM +02, Ansgar wrote:
> > Package: tech-ctte
> > X-Debbugs-Cc: Zack Weinberg 
> > Control: block 1020920 by -1
> > 
> > Hi,
> > 
> > please clarify if atomic updates are mandatory for the Debian system.
> > Or other measures to ensure that system crashes at *any* time do not
> > render a system unbootable.
> > 
> > See also: https://bugs.debian.org/1020920
> 
> (1) Do you mean any package update?  Certain packages?  dist-upgrade?

Any package relevant for successful boot. Any upgrade.

As far as I can tell, the submitter requires some guarantees
significantly stronger than what Debian requires for essential
packages.

In particular, boot-relevant packages are demanded to work in
unconfigured state, with not fully satisfied dependencies (possibly not
even unpackaged?), in partly unpackaged states, after maintainer script
errors, and all of that in combination with system crashes that might
result in partly written data to filesystems. And possibly in other
interesting system states too.

> (2) The TC is a decision-making body of last resort.  The bug you
>     mention was filed today.  Might this be premature?

Well, if we close it or don't act on it, people will complain and/or
demand to remove us from Debian for not acting on it (the latter might
be limited to people just sitting on their porch).

The other tech-ctte bug about usrmerge also suggested it would just end
up here either way.

Ansgar

Bug#1020923: tech-ctte: please clarify if atomic updates are required

[Sean Whitton]

Hello,

On Wed 28 Sep 2022 at 08:00PM +02, Ansgar wrote:

> Package: tech-ctte
> X-Debbugs-Cc: Zack Weinberg 
> Control: block 1020920 by -1
>
> Hi,
>
> please clarify if atomic updates are mandatory for the Debian system.
> Or other measures to ensure that system crashes at *any* time do not
> render a system unbootable.
>
> See also: https://bugs.debian.org/1020920

(1) Do you mean any package update?  Certain packages?  dist-upgrade?

(2) The TC is a decision-making body of last resort.  The bug you
mention was filed today.  Might this be premature?

-- 
Sean Whitton


signature.asc
Description: PGP signature

Bug#1020923: tech-ctte: please clarify if atomic updates are required

[Ansgar]

Package: tech-ctte
X-Debbugs-Cc: Zack Weinberg 
Control: block 1020920 by -1

Hi,

please clarify if atomic updates are mandatory for the Debian system.
Or other measures to ensure that system crashes at *any* time do not
render a system unbootable.

See also: https://bugs.debian.org/1020920

Thanks,
Ansgar