Re: Security updates for sarge?

[Bartosz Fenski aka fEnIo]

On Mon, Oct 25, 2004 at 12:19:05AM -0400, Andres Salomon wrote:
> > 4) security team (though I'm not sure how bad the situation is)
> > 
> > So, if my help is wanted with one of the first three of those, I will 
> > gladly file a NM application immediately.
> > 
> 
> Afaict, James processes NM apps alphabetically, by last name. 

I think that's not true. NMs are processed in the order they finished their
applications. http://nm.debian.org/nmlist.php
The last person from the "Applicants waiting for DAM approval" will be in
theory at least processed first.

> You can probably get through the first few stages of NM in a few weeks 
> (It took me a little over a month, between submitting my app, to getting
> Front Desk approval). So, if you applied now and hurried, I'm betting
> you'd become a DD before me.  :/

I hope you're not right... that would be extremely unfair and in fact you
would never became maintainer with your surname ;)

regards
fEnIo
-- 
  _  Bartosz Fenski | mailto:[EMAIL PROTECTED] | pgp:0x13fefc40 | 
IRC:fEnIo
_|_|_ 32-050 Skawina - Glowackiego 3/15 - w. malopolskie - Polska
(0 0)  phone:+48602383548 | Slackware - the weakest link
ooO--(_)--Ooo  http://skawina.eu.org | JID:[EMAIL PROTECTED] | RLU:172001


signature.asc
Description: Digital signature

Re: Security updates for sarge?

[Andres Salomon]

On Sat, 23 Oct 2004 05:10:26 +0200, Sven Mueller wrote:

> Heck, If I were a DD, I would be glad to help whereever needed. The most 
> pressing bits seem to be (from my POV):
> 1) buildd network (especially because of sarge/security)
> 2) ftpmaster (seems to be overwhelmed in work for months now)
> 3) new-maintainer process (though it seems to have sped up considerably
> during the last year)

Hah..

> 4) security team (though I'm not sure how bad the situation is)
> 
> So, if my help is wanted with one of the first three of those, I will 
> gladly file a NM application immediately.
> 

Afaict, James processes NM apps alphabetically, by last name.  You can
probably get through the first few stages of NM in a few weeks (It took me
a little over a month, between submitting my app, to getting
Front Desk approval). So, if you applied now and hurried, I'm betting
you'd become a DD before me.  :/

Re: Security updates for sarge?

[Andrew Pollock]

On Sat, Oct 23, 2004 at 02:43:18PM -0500, Manoj Srivastava wrote:
> On Sat, 23 Oct 2004 05:10:26 +0200, Sven Mueller <[EMAIL PROTECTED]> said: 
> 
> > Ingo Juergensmann [u] wrote on 22/10/2004 18:35:
> >> On Fri, Oct 22, 2004 at 06:13:46PM +0200, Martin Schulze wrote:
> >> 
> >>> Because they have set up and maintain the buildd network.
> >> Yes, nice, well done, thank them for their initial work, but it
> >> seems as if it's up for others now to take over that job, because
> >> they obviously failing continuously doing it now.
> 
> > I must admit I thought something similar: Why the hell are there
> > only two people who know how to do it, when two people doesn't seem
> > to be enough?
> 
>   Are you volunteering to go out and better educate yourself to
>  take on this work?

I would like to volunteer. Please give me some pointers on how I could
better educate myself, as I have an interest in increasing my understanding
of the "back-end" of what makes the distribution tick.

regards

Andrew

-- 
linux.conf.au 2005   -  http://lca2005.linux.org.au/  -  Birthplace of Tux
April 18th to 23rd   -  http://lca2005.linux.org.au/  -   LINUX
Canberra, Australia  -  http://lca2005.linux.org.au/  -Get bitten!


signature.asc
Description: Digital signature

Re: Security updates for sarge?

[Ingo Juergensmann]

On Sun, Oct 24, 2004 at 01:14:25PM +0100, Matthew Garrett wrote:

> > IIRC, you're one of those Ubuntus, right? No more to be said then... 
> I am not an employee of Canonical, and nor have I ever been.

Ok, sorry then for that point. 

-- 
Ciao...  // 
  Ingo \X/

Re: Security updates for sarge?

[Matthew Garrett]

Ingo Juergensmann <[EMAIL PROTECTED]> wrote:

> IIRC, you're one of those Ubuntus, right? No more to be said then... 

I am not an employee of Canonical, and nor have I ever been.

-- 
Matthew Garrett | [EMAIL PROTECTED]

Re: Security updates for sarge?

[Matthias Urlichs]

Hi, Manoj Srivastava wrote:

>   Are you, then, setting up a system for the security team to be
>  able to build packages for testing?  (you did mention you needed no
>  further help from anybody).  Is there a reason you are not indeed
>  putting things in place?

I already have, as far as possible with my own machines. Debian, however,
consists of slightly more architectures than are currently available in my
computer room. I also assume that the security team's source packages are
located somewhere other than http://smurf.noris.de/code/debian/testing/;
furthermore, they probably want the official security stuff to live on a
Debian-administered system.

To clarify: I wouldn't need help actually doing it, but somebody would
have to add me into a few groups / add my ssh pubkey to a few more files,
before I'd be able to *start* doing it *again*, but this time in a way
that's actually of benefit tto Debian, instead of just my personal
playroom.

>> Asking whether people want to leatn how to do the job is thus
>> pointless.

>   No, having people who merely want to come up with rants
> against people who are doing the work is a good thing.

If the people who are currently allowed to do the work were indeed doing
it, I would agree with you. After a month of no visible progress WRT t-s,
however, I'd say that they are not.

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  [EMAIL PROTECTED]

Re: Security updates for sarge?

[Ingo Juergensmann]

On Sun, Oct 24, 2004 at 03:29:35AM +0100, Matthew Garrett wrote:

> > But I think you're right... it's not about getting work done, it's about
> > politics and a orwellian "all users are equal, DDs are more equal" nonsense.
> > With every day passing by, it seems even more clearly to me that Debian has
> > lost its basics and has turned into a project that prefer to deal with
> > itself for that reason. And now it's even controlled by a venture
> > capitalist. Great job, well done... :-(
> You appear to be discussing some Debian that doesn't exist. In itself,
> this isn't surprising - you appear to have spent a significant period of
> time discussing a Debian that is only mildly related to the Debian that
> most people appear to perceive. Your postings to debian-devel have
> generally resulted in large quantities of noise and a complete absence
> of useful conclusions. 

Actually, I haven't seen a discussion resulting in any useful conclusion or
result on d-d. 

> You're either a revolutionary arguing on the side of the largely silent
> majority, or you're in a minority. In the first case, I'd suggest that
> you engage in making it clearer that a large set of people agree with
> you. In the latter case, I'd like to request that you stop. Your posts
> are counter-productive - your style of argumentation repels those who
> may have sympathy, and inflames those who already disagree with you.
> Your current activities are accomplishing nothing. There is no advantage
> to be gained in "I told you so" - instead, you merely delay us from
> going anywhere.

Ugh, sorry... I wasn't aware that it's *me* who is preventing the release
from being done. When I would have known that, I never would have worked
hard in the past weeks on the unofficial buildd network to bring down the
backlog for mips (and tried for others). Silly me... 

> Matthew Garrett | [EMAIL PROTECTED]

IIRC, you're one of those Ubuntus, right? No more to be said then... 

-- 
Ciao...  // 
  Ingo \X/

Re: Security updates for sarge?

[Manoj Srivastava]

On Sun, 24 Oct 2004 00:30:37 +0200, Sven Mueller <[EMAIL PROTECTED]> said: 

> Manoj Srivastava [u] wrote on 23/10/2004 21:43:
>>> I must admit I thought something similar: Why the hell are there
>>> only two people who know how to do it, when two people doesn't
>>> seem to be enough?
>> Are you volunteering to go out and better educate yourself to take
>> on this work?

> You know perfectly well that there _are_ people out there who know
> how to do it.

And don't seem to have the time or the motivation to do it,
 i=or it would have been done.  Until it is done, all people who rant
 at the current situation would be better off learning how to and
 actually doing something, rather than coming out with more hot air.

>  Also: I offered my help if it is wanted (see below),

And that is very good indeed.

> but I see no point in learning what's needed to work as a buildd or
> ftp admin for debian while I know perfectly well that helping hands
> in these areas is regularly declined by those in charge.

Umm, empty promises are often ignored, yes. Setting up a
 tested infrastructure, I think, would not be ignored.

> If my help is indeed wanted: Yes.  Under the current circumstances
> (with no definite acknowledgement that my help will be accepted):

That's not how things work.

> no.

Ah. Thought not.

> Also you are in no way responsive to my main point: Why are there
> only two people doing the job when quite a few more people have
> already offered to help (and are indeed qualified to do the job)?

Cause they got off their butt and did things? (rather than
 talk about how good they would be at helping out, if only people
 formed cheering squads and go Rah! rah! rah!

>> Or is this yet another time wasting rant?

> You mean like your post?

Yup, mine was an anti-rant rant.

>>> Heck, If I were a DD, I would be glad to help whereever
>>> needed. The

>> Ah. Just a spectator, booing and hissing at the people who have
>> stood up to be counted.

> And who decline help every time the subject of their work load comes
> up? 

You ain;t ever gonna get a gilded invitation. That is not how
 free software works.


>>> So, if my help is wanted with one of the first three of those, I
>>> will gladly file a NM application immediately.

>> Please do.

> Fine. Where do you want me to help?

Weherever you can scratch your itch.

> When I know where my help is wanted and accepted, I will gladly file
> the application. Until then I currently see no point in doing so
> (putting more load on the DAM without having actual work for me to
> do).

Don't bother. With that attitude, I don't think you are gonna
 last long in free software. If you continue to look externally for
 gilded invitations and  rah! rah! aquads.

>> We need more workers, and less lawyers.

> Exactly my point. Problem is that the current workers are doing
> everything to keep others from being able to do their work.

If the so called wanna-be workers are so easily dissuaded, I
 am not sure they aree the workers we are looking for. Moving along
 now. 

manoj
-- 
And miles to go before I sleep. Robert Frost
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Re: Security updates for sarge?

[Manoj Srivastava]

On Sat, 23 Oct 2004 22:40:58 +0200, Matthias Urlichs <[EMAIL PROTECTED]> said: 

> Hi, Manoj Srivastava wrote:
>> Again, are you volunteering to go out and learn how to do it?  Or
>> is this yet another time wasting rant?
>> 
>>> Heck, If I were a DD, I would be glad to help whereever
>>> needed. The
>> 
>> Ah. Just a spectator, booing and hissing at the people who have
>> stood up to be counted.

> Manoj, please stop.

I would much rather that the peanut gallery stop, in which
 case I would never have intervened.

> The last time this came up, at least four people offered to help. At
> least one of them (me ;-) considers himself to be qualified and
> experienced enough to do the job without further help from anybody.

Are you, then, setting up a system for the security team to be
 able to build packages for testing?  (you did mention you needed no
 further help from anybody).  Is there a reason you are not indeed
 putting things in place?

> Asking whether people want to leatn how to do the job is thus
> pointless.

No, having people who merely want to come up with rants
 against people who are doing the work is a good thing.  If you don't
 think things are being done well enough, and that you can do better,
 by all means go ahead and scratch your itch.

manoj
-- 
"The part I think I'd like best is crushing people who get in my way."
Calvin
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Re: Security updates for sarge?

[Matthew Garrett]

Ingo Juergensmann <[EMAIL PROTECTED]> wrote:

> But I think you're right... it's not about getting work done, it's about
> politics and a orwellian "all users are equal, DDs are more equal" nonsense.
> With every day passing by, it seems even more clearly to me that Debian has
> lost its basics and has turned into a project that prefer to deal with
> itself for that reason. And now it's even controlled by a venture
> capitalist. Great job, well done... :-(

Ingo,

You appear to be discussing some Debian that doesn't exist. In itself,
this isn't surprising - you appear to have spent a significant period of
time discussing a Debian that is only mildly related to the Debian that
most people appear to perceive. Your postings to debian-devel have
generally resulted in large quantities of noise and a complete absence
of useful conclusions. 

You're either a revolutionary arguing on the side of the largely silent
majority, or you're in a minority. In the first case, I'd suggest that
you engage in making it clearer that a large set of people agree with
you. In the latter case, I'd like to request that you stop. Your posts
are counter-productive - your style of argumentation repels those who
may have sympathy, and inflames those who already disagree with you.
Your current activities are accomplishing nothing. There is no advantage
to be gained in "I told you so" - instead, you merely delay us from
going anywhere.

Please. No more.
-- 
Matthew Garrett | [EMAIL PROTECTED]

Re: Security updates for sarge?

[Ben Burton]

> And without starting a flamewar, ...

Yep, I thought it looked too good to be true.

b.

Re: Security updates for sarge?

[Sven Mueller]

Manoj Srivastava [u] wrote on 23/10/2004 21:43:
I must admit I thought something similar: Why the hell are there
only two people who know how to do it, when two people doesn't seem
to be enough?
Are you volunteering to go out and better educate yourself to
 take on this work?
You know perfectly well that there _are_ people out there who know how 
to do it.
Also: I offered my help if it is wanted (see below), but I see no point 
in learning what's needed to work as a buildd or ftp admin for debian 
while I know perfectly well that helping hands in these areas is 
regularly declined by those in charge.

  It might be better if they postponed further work on
the buildd network and used that time to introduce others to the
job. In the end, this might very well speed up the whole process. At
least, it gets some more redundancy (what happens if one of them
gets ill while the other is on a prolonged journey?).  Two people
who can do the job certainly isn't nearly enough for such important
jobs in a project as big as Debian. I would think it should be at
least 5-6 people.
	Again, are you volunteering to go out and learn how to do it?
If my help is indeed wanted: Yes.
Under the current circumstances (with no definite acknowledgement that 
my help will be accepted): no.
Also you are in no way responsive to my main point: Why are there only 
two people doing the job when quite a few more people have already 
offered to help (and are indeed qualified to do the job)?

 Or is this yet another time wasting rant?
You mean like your post?
Heck, If I were a DD, I would be glad to help whereever needed. The
Ah. Just a spectator, booing and hissing at the people who
 have stood up to be counted.
And who decline help every time the subject of their work load comes up?
Also: No, not just a spectator. I have been advocating and deploying 
Debian for quite a while. Also I helped new users of Debian quite a lot. 
And my first Debian package has been uploaded almost two weeks ago and 
is still waiting in the NEW queue.

So, if my help is wanted with one of the first three of those, I
will gladly file a NM application immediately.
	Please do.
Fine. Where do you want me to help? When I know where my help is wanted 
and accepted, I will gladly file the application. Until then I currently 
see no point in doing so (putting more load on the DAM without having 
actual work for me to do).

>  We need more workers, and less lawyers.
Exactly my point. Problem is that the current workers are doing 
everything to keep others from being able to do their work.

cu,
sven

Re: Security updates for sarge?

[Ingo Juergensmann]

On Sun, Oct 24, 2004 at 12:21:28AM +0200, Matthias Urlichs wrote:

> > Funny. Arrakis were used heavily in the past for security builds as
> > well. Otherweise I have no idea where all those security team logins on
> > arrakis come from?
> I'd assume that there's a *slight* difference between "somebody, who
> doesn't (necessarily) have any privileges, logs on and specifically builds
> something", and an unattended autobuilder.

Well, the main difference I see is, that there are still no security updates
for sarge/testing. For the user it's irrelevant if the security updates was
built by a person or an autobuilder. 

But I think you're right... it's not about getting work done, it's about
politics and a orwellian "all users are equal, DDs are more equal" nonsense.
With every day passing by, it seems even more clearly to me that Debian has
lost its basics and has turned into a project that prefer to deal with
itself for that reason. And now it's even controlled by a venture
capitalist. Great job, well done... :-(

-- 
Ciao...  // 
  Ingo \X/

Re: Security updates for sarge?

[Matthias Urlichs]

Hi, Ingo Juergensmann wrote:

> Funny. Arrakis were used heavily in the past for security builds as
> well. Otherweise I have no idea where all those security team logins on
> arrakis come from?
> 
I'd assume that there's a *slight* difference between "somebody, who
doesn't (necessarily) have any privileges, logs on and specifically builds
something", and an unattended autobuilder.

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  [EMAIL PROTECTED]

Re: Security updates for sarge?

[Ingo Juergensmann]

On Sun, Oct 24, 2004 at 12:01:46AM +0200, Matthias Urlichs wrote:

> > You don't need to do that. There're plenty of machines available - albeit
> > outside the debian.org domain...
> Ingo, this is about the *security* autobuilders. There's a reason why
> Debian cannot do that with machines it doesn't control.

Funny. Arrakis were used heavily in the past for security builds as well.
Otherweise I have no idea where all those security team logins on arrakis
come from?

But well, yes, I guess, I should lean back and wait until Debian is a total
mess and I can say "Well, I told you before..." 

-- 
Ciao...  // 
  Ingo \X/

Re: Security updates for sarge?

[Matthias Urlichs]

Hi, Ingo Juergensmann wrote:

> You don't need to do that. There're plenty of machines available - albeit
> outside the debian.org domain...

Ingo, this is about the *security* autobuilders. There's a reason why
Debian cannot do that with machines it doesn't control.

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  [EMAIL PROTECTED]

Re: Security updates for sarge?

[Ingo Juergensmann]

On Sat, Oct 23, 2004 at 10:52:27PM +0200, Matthias Urlichs wrote:

> "You want to help? Start by buying your own mips machine!" isn't going to
> cut it. Besides, I already (and gladly) did that, for m68k.

You don't need to do that. There're plenty of machines available - albeit
outside the debian.org domain...
Just raise your hands, whoever is willing to take over a buildd. I'd try my
best to supply you with a machine or coordinate contacts of people having
the machines.

-- 
Ciao...  // 
  Ingo \X/

Re: Security updates for sarge?

[Matthias Urlichs]

Hi, Anthony Towns wrote:

> doing the work /first/ is the obvious way of demonstrating that the offer
> will actually get followed up;

... assuming that there's any work that *can* be done without having
access.

Case in point: I would very much like to set up the required buildd
environments on the Debian computers in question. (Presumably they already
run a buildd for sid...)

I can't do that without actual root-level access to them.

"You want to help? Start by buying your own mips machine!" isn't going to
cut it. Besides, I already (and gladly) did that, for m68k.

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  [EMAIL PROTECTED]

Re: Security updates for sarge?

[Matthias Urlichs]

Hi, Manoj Srivastava wrote:

>   Again, are you volunteering to go out and learn how to do it?
>  Or is this yet another time wasting rant?
> 
>> Heck, If I were a DD, I would be glad to help whereever needed. The
> 
>   Ah. Just a spectator, booing and hissing at the people who
>  have stood up to be counted.

Manoj, please stop.

The last time this came up, at least four people offered to help. At least
one of them (me ;-) considers himself to be qualified and experienced
enough to do the job without further help from anybody.

Asking whether people want to leatn how to do the job is thus pointless.

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  [EMAIL PROTECTED]

Re: Security updates for sarge?

[Manoj Srivastava]

On Sat, 23 Oct 2004 05:10:26 +0200, Sven Mueller <[EMAIL PROTECTED]> said: 

> Ingo Juergensmann [u] wrote on 22/10/2004 18:35:
>> On Fri, Oct 22, 2004 at 06:13:46PM +0200, Martin Schulze wrote:
>> 
>>> Because they have set up and maintain the buildd network.
>> Yes, nice, well done, thank them for their initial work, but it
>> seems as if it's up for others now to take over that job, because
>> they obviously failing continuously doing it now.

> I must admit I thought something similar: Why the hell are there
> only two people who know how to do it, when two people doesn't seem
> to be enough?

Are you volunteering to go out and better educate yourself to
 take on this work?

>It might be better if they postponed further work on
> the buildd network and used that time to introduce others to the
> job. In the end, this might very well speed up the whole process. At
> least, it gets some more redundancy (what happens if one of them
> gets ill while the other is on a prolonged journey?).  Two people
> who can do the job certainly isn't nearly enough for such important
> jobs in a project as big as Debian. I would think it should be at
> least 5-6 people.

Again, are you volunteering to go out and learn how to do it?
 Or is this yet another time wasting rant?

> Heck, If I were a DD, I would be glad to help whereever needed. The

Ah. Just a spectator, booing and hissing at the people who
 have stood up to be counted.

> So, if my help is wanted with one of the first three of those, I
> will gladly file a NM application immediately.

Please do. We need more workers, and less lawyers.

manoj
-- 
Zeus gave Leda the bird.
Manoj Srivastava   <[EMAIL PROTECTED]>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Re: Security updates for sarge?

[Ingo Juergensmann]

On Sat, Oct 23, 2004 at 05:10:26AM +0200, Sven Mueller wrote:

> >>Because they have set up and maintain the buildd network.
> >Yes, nice, well done, thank them for their initial work, but it seems as if
> >it's up for others now to take over that job, because they obviously 
> >failing continuously doing it now.  
> I must admit I thought something similar:
> Why the hell are there only two people who know how to do it, when two 
> people doesn't seem to be enough?

Oh, there are more people experienced enough to do that work - but those two
won't let them do it. 

> It might be better if they postponed 
> further work on the buildd network and used that time to introduce 
> others to the job.

Other people disagree here with you (f.e. Manoj). They think, it would harm
to take the time to introduce other people to the work needed done. 

I do agree with you: it is the best when other people are introduced to the
work by the experienced ones. It shortens the time until the new ones can
work productively together with the old ones significantly. F.e. Martin
Loschwitz was introduced within days in running/admining a buildd. 
It's way more complicated to setup a buildd without any help, because it's
not well documented. By reason, I guess. Having more people sharing the
knowledge of the mysterious buildd network threatens the power of the two
who are in charge now. 
But I'm sure it won't help them in the long run - but it harms the project
in the meanwhile. 

> In the end, this might very well speed up the whole 
> process. At least, it gets some more redundancy (what happens if one of 
> them gets ill while the other is on a prolonged journey?).

Stagnation. 

> Two people who can do the job certainly isn't nearly enough for such 
> important jobs in a project as big as Debian. I would think it should be 
> at least 5-6 people.

I'm argueing this for about a year now - nothing happened so far. Instead,
it got worse and worse... 
 
> Similar things could be said about ftpmasters. New packages are supposed 
> to be added to unstable within at most one week, but I'm waiting for ten 
> days now. (Yeah, I know, still not _that_ long.) I'm not complaining, 
> just wondering.
> Heck, If I were a DD, I would be glad to help whereever needed.

Even being a DD wouldn't help much. There are already DDs trying to solve
those problems, but aren't very successful. The two people are in positions
where they can block nearly anything to death. 
Isn't that great!?

> The most 
> pressing bits seem to be (from my POV):
> 1) buildd network (especially because of sarge/security)
> 2) ftpmaster (seems to be overwhelmed in work for months now)
> 3) new-maintainer process (though it seems to have sped up considerably
>during the last year)
> 4) security team (though I'm not sure how bad the situation is)

Oh well, do some research and find out who's in charge for many of these 4
key problems. You'll find quite the same names mostly (security differs
the most from the others, I think)

> So, if my help is wanted with one of the first three of those, I will 
> gladly file a NM application immediately.

It's sad, but I don't think your application will proceed fast... it will
get stuck waiting for DAM approval for months.

Am I the only who's curious about Debians independence with all those paid
Ubuntu DDs in key positions of Debian?

-- 
Ciao...  // 
  Ingo \X/

Re: Security updates for sarge?

[Sven Mueller]

Ingo Juergensmann [u] wrote on 22/10/2004 18:35:
On Fri, Oct 22, 2004 at 06:13:46PM +0200, Martin Schulze wrote:
Because they have set up and maintain the buildd network.
Yes, nice, well done, thank them for their initial work, but it seems as if
it's up for others now to take over that job, because they obviously failing
continuously doing it now.  
I must admit I thought something similar:
Why the hell are there only two people who know how to do it, when two 
people doesn't seem to be enough? It might be better if they postponed 
further work on the buildd network and used that time to introduce 
others to the job. In the end, this might very well speed up the whole 
process. At least, it gets some more redundancy (what happens if one of 
them gets ill while the other is on a prolonged journey?).
Two people who can do the job certainly isn't nearly enough for such 
important jobs in a project as big as Debian. I would think it should be 
at least 5-6 people.

Similar things could be said about ftpmasters. New packages are supposed 
to be added to unstable within at most one week, but I'm waiting for ten 
days now. (Yeah, I know, still not _that_ long.) I'm not complaining, 
just wondering.

Heck, If I were a DD, I would be glad to help whereever needed. The most 
pressing bits seem to be (from my POV):
1) buildd network (especially because of sarge/security)
2) ftpmaster (seems to be overwhelmed in work for months now)
3) new-maintainer process (though it seems to have sped up considerably
   during the last year)
4) security team (though I'm not sure how bad the situation is)

So, if my help is wanted with one of the first three of those, I will 
gladly file a NM application immediately.

cu,
sven

Re: Security updates for sarge?

[Anthony Towns]

On Fri, Oct 22, 2004 at 10:34:07PM -0700, Don Armstrong wrote:
> Is there anything that those of us who are not these two people can do
> to help with this, short of not bothering them about it?

I'm not sure where the "two people" figure comes from; I assume it's
supposed to be referring to James and Ryan, but I can't see any obvious
reason why Joey, Bdale or Lamont wouldn't have the experience too, or why
they'd not be able to get access if they asked. OTOH, I can't imagine
any of them having huge amounts of time free either.

Anyway; the easy solution to not knowing how to help the people who
can do it already is just to do it all yourself. Create a website
(people.debian.org/~you, eg), write some scripts, and start uploading to
that. 

The main reason offers of help don't work, is that the vast majority
of them don't actually get followed through, so it just ends up wasting
time setting up access permissions, and teaching the newbie how things
works -- doing the work /first/ is the obvious way of demonstrating
that the offer will actually get followed up; and it's a far better
predictor than looking at who the person is, or what they've done for
other projects, too, eg. The "do it all yourself" approach also works
in case the people who you were going to help don't get around to doing
anything, for whatever reason.

Eg, Guy Maor was going to do a lot of the archive work needed to get
"testing" happening at one point; but instead ended up reducing his
involvement in Debian and not really doing anything; likewise, testing
had been running for about a year before Jason and James started doing
much about changing the archive so that it could be integrated.

Note that doing stuff on your own doesn't offer any guarantees that
it won't be a complete waste of time; Drake Diedrich [0] did an
implementation of pools way back in 2000 that pretty much disappeared
into the aether. (I happen to think some good ideas from it got pulled
into dak/katie; but others' mileage probably varies)

Cheers,
aj

[0] http://lists.debian.org/debian-pool/2000/08/msg2.html

-- 
Anthony Towns <[EMAIL PROTECTED]> 
Don't assume I speak for anyone but myself. GPG signed mail preferred.

``[S]exual orgies eliminate social tensions and ought to be encouraged.''
  -- US Supreme Court Justice Antonin Scalia (http://tinyurl.com/3kwod)


signature.asc
Description: Digital signature

Re: Security updates for sarge?

[Petter Reinholdtsen]

[Don Armstrong]
> Is there anything that those of us who are not these two people can
> do to help with this, short of not bothering them about it?

I'm not sure how to help on the infrastructure.

But if you want to help with securing sarge/testing, you can help Joey
Hess and the rest of us checking all CAN-reports and DSAs to find out
which of these applies to sarge and which do not.  As I said in an
earlier email.  Debian-edu is trying to form a security team for
testing, to work in parallell with the team working on stable.  We
hope this will take some of the load from the current security team.

To avoid the problems with keeping secret information hidden, this
team will focus on the publicly known security issues, and leave the
secret problems to the Debian/stable security team.  This will make
security fixes for Debian/testing appear later then fixes for
Debian/stable, but would definitely be an improvement from today, when
they appear in Debian/testing after random intervals instead.

Join #debian-edu and/or send an email to Joeh Hess <[EMAIL PROTECTED]>,
me and Finn-Arne Johansen <[EMAIL PROTECTED]> if you are interested.

Re: Security updates for sarge?

[Don Armstrong]

On Fri, 22 Oct 2004, Martin Schulze wrote:
> Jan Niehusmann wrote:
> > Question to the security team: What's holding back security support for
> > sarge? (This is not a complaint - I'm just curious)
> 
> It still (as written on -project one or two weeks ago) lacks the
> infrastructure as in a working buildd network that processes the
> target ``testing-security''.  This is something that two people in
> Debian can set up.  (This is only information, please don't start
> a flamware about it).

I've asked this question informally a few times, but I'll ask it
again:

Is there anything that those of us who are not these two people can do
to help with this, short of not bothering them about it?


Don Armstrong

-- 
If a nation values anything more than freedom, it will lose its
freedom; and the irony of it is that if it is comfort or money it
values more, it will lose that, too.
 -- W. Somerset Maugham

http://www.donarmstrong.com  http://rzlab.ucr.edu

Re: Security updates for sarge?

[Matthias Urlichs]

Hi, Martin Schulze wrote:
 
> Because they have set up and maintain the buildd network.

Other people have set up, and are maintaining, their very own buildd
networks, and thus might be assumed to be qualified to add t-s support
and/or whatever else is missing.

Me, for example. (I think I've mentioned that a few times.)

-- 
Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  [EMAIL PROTECTED]

Re: Security updates for sarge?

[Ingo Juergensmann]

On Fri, Oct 22, 2004 at 06:13:46PM +0200, Martin Schulze wrote:

> Because they have set up and maintain the buildd network.

Yes, nice, well done, thank them for their initial work, but it seems as if
it's up for others now to take over that job, because they obviously failing
continuously doing it now.  

-- 
Ciao...  // 
  Ingo \X/

Re: Security updates for sarge?

[Martin Schulze]

Josselin Mouette wrote:
> Le vendredi 22 octobre 2004 à 11:26 +0200, Martin Schulze a écrit :
> > It still (as written on -project one or two weeks ago) lacks the
> > infrastructure as in a working buildd network that processes the
> > target ``testing-security''.  This is something that two people in
> > Debian can set up.  (This is only information, please don't start
> > a flamware about it).
> 
> And without starting a flamewar, could you give us the additional
> information that explains why only two people in Debian can do that?

Because they have set up and maintain the buildd network.

Regards,

Joey

-- 
Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.

Re: Security updates for sarge?

[Josselin Mouette]

Le vendredi 22 octobre 2004 Ã 11:26 +0200, Martin Schulze a Ãcrit :
> It still (as written on -project one or two weeks ago) lacks the
> infrastructure as in a working buildd network that processes the
> target ``testing-security''.  This is something that two people in
> Debian can set up.  (This is only information, please don't start
> a flamware about it).

And without starting a flamewar, could you give us the additional
information that explains why only two people in Debian can do that?
-- 
 .''`.   Josselin Mouette/\./\
: :' :   [EMAIL PROTECTED]
`. `'[EMAIL PROTECTED]
  `-  Debian GNU/Linux -- The power of freedom


signature.asc
Description: Ceci est une partie de message	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

Re: Security updates for sarge?

[Florian Weimer]

* Andreas Barth:

> There are no autobuilders for testing-security.

So what's missing at this stage?  Machines?  An active local system
administrator?  Or someone who is trusted enough to integrate the
buildds into the security build infrastructure?

If it's machines or the local system administrator, it shouldn't be
too hard to throw a little bit of money at the problem and install a
machine at a location which someone who's committed to do the work can
access physically.

Re: Security updates for sarge?

[Steve McIntyre]

Joey writes:
>Jan Niehusmann wrote:
>> Question to the security team: What's holding back security support for
>> sarge? (This is not a complaint - I'm just curious)
>
>It still (as written on -project one or two weeks ago) lacks the
>infrastructure as in a working buildd network that processes the
>target ``testing-security''.  This is something that two people in
>Debian can set up.  (This is only information, please don't start
>a flamware about it).

Thanks for the info. It would be nice to see this kind of information
made more readily available, more often.

Colin/Steve - you seem to have been posting about once every 3 weeks
listing current sarge status. Can you up the frequency of that please?
A weekly short summary might help a great deal to keep people informed
and focussed on doing sarge work.

-- 
Steve McIntyre, Cambridge, UK.[EMAIL PROTECTED]
"I've only once written 'SQL is my bitch' in a comment. But that code 
 is in use on a military site..." -- Simon Booth

Re: Security updates for sarge?

[Martin Schulze]

Jan Niehusmann wrote:
> Question to the security team: What's holding back security support for
> sarge? (This is not a complaint - I'm just curious)

It still (as written on -project one or two weeks ago) lacks the
infrastructure as in a working buildd network that processes the
target ``testing-security''.  This is something that two people in
Debian can set up.  (This is only information, please don't start
a flamware about it).

Regards,

Joey

-- 
Reading is a lost art nowadays.  -- Michael Weber

Re: Security updates for sarge? (was: Ubuntu discussion at planet.debian.org)

[Andreas Barth]

* Jan Niehusmann ([EMAIL PROTECTED]) [041022 11:10]:
> Question to the security team: What's holding back security support for
> sarge? (This is not a complaint - I'm just curious)

There are no autobuilders for testing-security. See the latest release
update http://lists.debian.org/debian-devel-announce/2004/09/msg5.html:
| The bad news is that we still do not have an ETA for the
| testing-security autobuilders to be functional.  This continues to be
| the major blocker for proceeding with the freeze; we would /like/ to
| have security support in place for sarge before encouraging widespread
| upgrade woody->sarge upgrade testing, but we /need/ to have it in place
| before releasing, so it would be unwise to try to freeze the rest of the
| archive without any confirmed schedule for the last stages of the
| release.

The good news is that we finalized the toolchain for sarge in the very
last days.



Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Re: Security updates for sarge?

[Petter Reinholdtsen]

[Jan Niehusmann]
> Question to the security team: What's holding back security support
> for sarge? (This is not a complaint - I'm just curious)

Debian-edu is trying to form a separate security team for
debian/testing, working on keeping the testing distribution secure in
paralell with the debian/stable security team.  The blocking feature
here is lack of people capable and willing to contribute.

The idea is to make it safe to use testing and get more people using
testing that way, and to make sure testing is closer to a releasable
state when it is frozen and renamed to debian/stable.

Interested people can join #debian-edu or contact me, Joey Hess
<[EMAIL PROTECTED]> and Finn-Arne Johansen <[EMAIL PROTECTED]> by email.