Re: Debian and Non-Free Services
On Thu, Sep 12, 2019 at 01:30:24PM -0400, Sam Hartman wrote: > > I'm trying to move a thread from -devel. > > Ian Jackson responded [1] to part of a consensus discussion on Git > recommendations. I had said that I think we recommend against the use > of non-free services like Github but do not forbid their use. > Ian disagreed with this recommendation. > > I responded [2] noting that around 7% of the packages with a vcs-git in > unstable are hosted on Github. > > Ian said [3] that he was confident if we had a GR to forbid use of services > like Github it would pass. > > He proposed the following text for such a GR. > > I think such a discussion is better on -project. Thanks. > > [1]: > > https://lists.debian.org/msgid-search/23927.51367.848949.15...@chiark.greenend.org.uk > [2]: https://lists.debian.org/msgid-search/tslwoedy93e.fsf...@suchdamage.org > [3]: > > https://lists.debian.org/msgid-search/23930.17192.131171.455...@chiark.greenend.org.uk > > > Subject: Free Software Needs Free Tools > > No Debian contributor should be expected or encouraged, when working > to improve Debian, to use non-free tools. That applies to any tool, also free ones. > This includes proprietary > web services. And free web services. > We will ensure this, insofar as it is within Debian's > collective control. > > For example, Vcs-Git fields in source packages must not refer to > proprietary git code management systems. Non-Debian services are > acceptable here so long as they are principally Free Software. Then maintainers could remove them as a workaround. > > We encourage all our upstreams to use Free/Libre tools. > > We recognise that metadata in Debian which describes the behaviour > of those outside our community, for example fields which refer to > upstream source management systems, may (in order to be accurate) > still need to refer to proprietary systems. Our upstreams are free to use what they want. Note that salsa.d.o is a legal risk. When a contributor uploads non-distributable software, then Debian is in fact redistributing it immediately. Should we promote Github? :-) Cheers, Bart
Re: State of the debian keyring
On Sat, Feb 22, 2014 at 06:35:06PM -0600, Gunnar Wolf wrote: Kurt Roeckx dijo [Sun, Feb 23, 2014 at 12:46:41AM +0100]: For those people who are not aware of this yet, this is really a problem. I agree. We should take security in Debian seriously. Getting weak keys replaced by strong ones in the keyring in time, keeping up with increasing computer power, is part of that. This provides less security than an 80 bit symmetric cipher. A brute force for this is possible. It's considered to have very short time protection against agencies, short time against medium organisations. That's still 61.5% that's at 1024 bit. CAs are doing better than this, with only 0.8% of the certificates that are still active being 1024 bit. Can I suggest that everyone that is still using a 1024 bit pgp key generates a new key *now*? Yes please, *now*. The recommended minimum size is at least 2048 bit, but I suggest you go for 4096 bit. ...And now hat you mention this here on the list, we have been discussing how to deal with this for keyring-maint¹. It would clearly be unacceptable for us to decide to lock out 61.5% of Debian because of their old key. In my opinion it would clearly be unacceptable for us to allow the weak keys in the keyring for a day longer. How about removing them now. Also, removing those keys would most probably make our WoT much more fragile. The WoT is already fragile due to the weak keys. Also, removing the weak keys from the keyring doesn't weaken the WoT because all keys still exist in public. I'd like to ask the project as a whole for input on how we should push towards this migration. I guess that most of the socially-connected Debian Developers already have 4096R keys. How can we reach those who don't? Contacting them can obviously be done via e-mail. Note that if they are still active DDs they should already be aware of the weakness of the keys. Let's get real on this, see the age of this message [0], a message all DDs should have read at the time. I understand however practical challenges for DDs living in remote areas for getting keys signed. [0] : https://lists.debian.org/debian-devel-announce/2010/09/msg3.html How can we incentivate them to change? As I wrote above, by removing the weak keys now. Remember that, in order to get a new key accepted, a big hurdle is sometimes the need for meeting two people with active keys. Several people have started the process to update their keys, but after months (and no real possibility to meet a DD in person) have let it stay as it is. This hurdle is, of course, very important to maintain in order to avoid loosening our identity requirements... So, what do you suggest? DDs with strong keys can help the locked out DDs with key signing [1] and with temporarily sponsoring important/urgent packages uploads [2]. I'm hereby offering this help myself now. [1] : https://wiki.debian.org/Keysigning/Offers [2] : http://mentors.debian.net/intro-maintainers Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140223080943.ga11...@master.debian.org
Re: State of the debian keyring
On Sun, Feb 23, 2014 at 07:57:43AM +, Marco d'Itri wrote: gw...@gwolf.org wrote: So, what do you suggest? Persuade developers that they should sign the new key of people whose old key they have already signed, with no need to meet them in person. No, because this would reduce the value of the new keys to the weakness of the 1024 bit keys. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140223081228.ga1...@master.debian.org
Re: State of the debian keyring
On Sun, Feb 23, 2014 at 10:23:47AM +0100, Matthias Urlichs wrote: Hi, Bart Martens: On Sun, Feb 23, 2014 at 07:57:43AM +, Marco d'Itri wrote: gw...@gwolf.org wrote: So, what do you suggest? Persuade developers that they should sign the new key of people whose old key they have already signed, with no need to meet them in person. No, because this would reduce the value of the new keys to the weakness of the 1024 bit keys. That's somewhat true for now given a sufficiently-motivated attacker, but if *afterwards* some nefarious $CENSORED gets the idea that $DD would be a nice target for hacking their key, they'd be out of luck. They'd also be out of luck if the DD's new key happens to already exist (which the DD who's asked to sign the new key should obviously check). We don't know which 1024 bit keys may already have been compromised, so you would not know which new keys would be compromised as well. Thus I would add the new key provisionally; I don't see the point in provisionally adding potentially compromised keys. if it doesn't get any new signatures from DDs with non-provisional strong keys during, say, the rest of this year, then delete it from the keyring. I see no reason to allow more time, since we have been talking about 4096 keys since 2010. This would still be more secure than waiting a year before disabling the old keys, and come 2015 there would be no difference. A 4096 bit key is cryptographically stronger than a 1024 bit key, but the point of key signing is about verifying who is holding the private key. However, I see another problem. http://keyring.debian.org/replacing_keys.html states that, if Alice wants to get her key X replaced with key Y, Alice must get a Debian developer […] to sign a message requesting the replacement of key X with key Y on behalf of Alice … which IMHO is an unnecessary burden if Alice's old and new key are valid and sufficiently DD-signed. I suggest to discuss that in a separate thread. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140223095620.ga16...@master.debian.org
Re: State of the debian keyring
On Sun, Feb 23, 2014 at 12:28:58PM +0100, Kurt Roeckx wrote: On Sun, Feb 23, 2014 at 07:57:43AM +, Marco d'Itri wrote: gw...@gwolf.org wrote: So, what do you suggest? Persuade developers that they should sign the new key of people whose old key they have already signed, with no need to meet them in person. I'm not sure what you're saying, but I think it's a bad idea. I agree that it's a bad idea. What I would find acceptable is that if you generate an new key you sign the same keys with the new key that you signed previously with the old key. If this is cross signing your own old and new keys, then there is, unrelated to the debian keyring, obviously nothing wrong with that. I would also find it acceptable that the keyring maintainers accept a signature from a single DD to replace the key, with that single DD being the DD's old key. I would not find this acceptable. I'm surprised you write this. Maybe I'm misreading what you meant. If they old key doesn't get revoked there is still a (weak) web of trust. This is true. But I would like to see a signature from at least one other person with a stronger key that has a reasonable connection to the web of trust, preferably a DD. The more then better of course. I think we should use the exact same rules for replacing old keys by new keys as for adding new keys from newcomers. We should not lower the value of new keys by cutting corners. I see no good reason to sign new keys without meeting the person to confirm that that is their new key. I strongly agree with that. You seem to suggest that that is a good idea to keep the web of trust, but to me it seems you just create a web of trust that isn't really there. If your point is that the web of trust with the 4096 bit keys shouldn't depend on the existing web of trust based on the old 1024 bit keys, then I agree. I don't object against keeping the existing web of trust based on the 1024 bit keys, but one should realize that it is already weakened, regardless of how we introduce 4096 bit keys. What we need is a way to confirm that you're talking to the same person you've met previously and confirm that that is his new key. Exactly. We should not cut corners when replacing the 1024 bit keys by 4096 ones. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140223162929.ga32...@master.debian.org
Re: State of the debian keyring
On Sun, Feb 23, 2014 at 08:56:46AM -0600, Gunnar Wolf wrote: Marco d'Itri dijo [Sun, Feb 23, 2014 at 07:57:43AM +]: gw...@gwolf.org wrote: So, what do you suggest? Persuade developers that they should sign the new key of people whose old key they have already signed, with no need to meet them in person. I'm open to that if and only if the new keys have proper transition statements. I would never sign new keys based on transition statements. And if the original signatures were *really* done carefully Still never. :-) Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140223164726.gb32...@master.debian.org
Re: Should mailing list bans be published?
On Sun, Oct 27, 2013 at 12:46:07PM -0700, Steve Langasek wrote: On Sat, Oct 26, 2013 at 05:27:25PM -0400, Joey Hess wrote: Bart Martens wrote: I suggest we keep things civil, with respect for the persons involved. It's really not up to Debian to harm someone's reputation, and that could reflect bad on Debian's reputation. Approaches I could support : - post the bans with reasons on debian-private - or maintain a list of bans with reasons in a text file on a Debian machine where DDs can read this info. Simply obfuscating the name on the list of banned users (or not posting any names at all, only links to the posts that led to the ban) would eliminate most reputational damage. Ie, random searches for that person would not turn up a high pagerank debian.org page listing their youthful indiscretions. Using eg J. Hess would probably be fine in most cases. This also seems like a good compromise to me. Do the other folks who object to publishing information that could damage the poster's reputation (e.g., Bart, Ingo) think this is ok? Publishing the bans with links to the posts that led to the bans, means that the names are published with the bans, because the names are on the posts. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131028044235.ga26...@master.debian.org
Re: Should mailing list bans be published?
On Sat, Oct 26, 2013 at 10:46:41AM -0700, Steve Langasek wrote: This led to a philosophical debate about whether bans should be made public. Alexander expressed concern that having them published could be harmful to a person's reputation, since employers will google your name and see that you've been banned from a large project such as Debian. I join Alexander on the above. What do the rest of you think? I suggest we keep things civil, with respect for the persons involved. It's really not up to Debian to harm someone's reputation, and that could reflect bad on Debian's reputation. Approaches I could support : - post the bans with reasons on debian-private - or maintain a list of bans with reasons in a text file on a Debian machine where DDs can read this info. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131026193334.ga1...@master.debian.org
Re: Should mailing list bans be published?
On Sat, Oct 26, 2013 at 09:20:27PM +0100, Ben Hutchings wrote: On Sat, 2013-10-26 at 19:33 +, Bart Martens wrote: On Sat, Oct 26, 2013 at 10:46:41AM -0700, Steve Langasek wrote: This led to a philosophical debate about whether bans should be made public. Alexander expressed concern that having them published could be harmful to a person's reputation, since employers will google your name and see that you've been banned from a large project such as Debian. I join Alexander on the above. What do the rest of you think? I suggest we keep things civil, with respect for the persons involved. It's really not up to Debian to harm someone's reputation, and that could reflect bad on Debian's reputation. [...] This is the same argument used to cover up all kinds of abuses. Maybe in the case of mailing list bans the infraction is minor enough that we should not make a public record of it, but I am very sceptical of the argument in general. Cover up ? I did suggest approaches with full transparency among DDs. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131026202406.gb16...@master.debian.org
Re: Should mailing list bans be published?
On Sat, Oct 26, 2013 at 12:58:34PM -0700, Steve Langasek wrote: Hi Bart, On Sat, Oct 26, 2013 at 07:33:34PM +, Bart Martens wrote: On Sat, Oct 26, 2013 at 10:46:41AM -0700, Steve Langasek wrote: This led to a philosophical debate about whether bans should be made public. Alexander expressed concern that having them published could be harmful to a person's reputation, since employers will google your name and see that you've been banned from a large project such as Debian. I join Alexander on the above. What do the rest of you think? I suggest we keep things civil, with respect for the persons involved. It's really not up to Debian to harm someone's reputation, and that could reflect bad on Debian's reputation. I don't understand this argument. What harm comes to Debian's reputation from showing publically that we do not tolerate abusive behavior on our mailing list? The harm that could come to Debian's reputation is that Debian could be perceived as an organization that harms people's reputation by judging them in public about their behavior on the mailing lists. Approaches I could support : - post the bans with reasons on debian-private - or maintain a list of bans with reasons in a text file on a Debian machine where DDs can read this info. I think posting this on debian-private is not as good as posting it publically, for some of the reasons mentioned in my original mail. (E.g., making it clear to outsiders that certain behavior will not be tolerated.) That can be made clear without harming individuals' reputations. But it's a compromise I could support, if that's the consensus in the project. I appreciate that you are open for this compromise. Let's see if it becomes a consensus. I don't think maintaining a list somewhere is sufficient; there should be some notification to the project when the bans take place. I can imagine that some DDs prefer to receive notifications, which can be obtained by simply using diff in crontab. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131026220842.ga26...@master.debian.org
Re: Doing something about should remain private forever emails
On Fri, Jun 21, 2013 at 05:44:50PM +0100, Ian Jackson wrote: Raphael Geissert writes (Doing something about should remain private forever emails): So everyone knows that the declassification of -private isn't going to happen any time soon. I think the declassification GR was unwise. The outcome is predictable. I think it would be best to explicitly revert it. The kind of fine-grained tagging and control envisaged by the GR is far too much work. I suggest to simplify things. For example, delete all messages sent to debian-private automatically after 365 days. Then we have some kind of guarantee that after 365 days the messages remain private forever. Any DD wishing to keep the messages for a longer time, can still copy them from the Debian server to their own private system. (Even that can be automated, so no manual work for anyone.) I've read some rather private things on debian-private without any clause should remain private forever, so I prefer to keep the messages private by default. But as a practical matter, I think that the bigger problem is that we are sometimes discussing things on -private which ought to be in public. I don't see this as a big problem at all. The person starting a thread on debian-private usually had good reasons to do that. It's when the thread becomes big with the discussed topic shifting away fromt he original topic, people don't always realize they are still posting to debian-private. The silliest thing to do at that point is complain about this should be in public. Anyone can simply start a new thread on a public mailing list without complaining. The traffic on debian-private is also not a problem for me. I subscribed to debian-private for a long time now, and it's not difficult for me to skip threads I'm not interested in. Messages sent to the wrong lists happens all the time, also on the public mailing lists. Let's accept some noise, while allowing anyone to choose where they post their messages. There's sufficient social control encouraging people to use the better list. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130621181540.ga18...@master.debian.org
Re: Validity of DFSG #10
Hi Stefano, On Sun, Jan 06, 2013 at 03:37:38PM +0100, Stefano Zacchiroli wrote: So, sure, we could drop it. (Note that this isn't entirely trivial, as it will require a GR with a 3:1 majority, given that the DFSG is one of our foundation documents.) I guess it's easy to get such 3:1 majority for this. But I doubt we will gain much in clarity by *only* doing that. We need an extra step: an authoritative and maintained lists of licenses that the Debian Project considers free. (...) Bottom line: I'd be very much in favor of dropping DFSG §10 as long as we replace it with a (pointer to a) place where we maintain an authoritative list of licenses we consider free, (...) I agree that it would be nice to have an authoritative and maintained list of verified DFSG-free licenses. But we should keep the DFSG and the list strictly separate. If not, we would need a 3:1 majority on every change of the list, or we would be giving the list maintainers the authority to in fact change the DFSG without 3:1 majority. In my opinion the DFSG should not even mention the existence of the list (so no pointer), to prevent any possible interpretation like this license is DFSG because it's on the list and the DFSG state that the list is authoritative. How to do the GR to drop DFSG #10 is clear. It's a matter of following existing procedures. How would you organize setting up an authoritative and maintained list of verified DFSG-free licenses ? Which formal steps would need to be completed before an additional license or license version would be added to the list ? How to deal with mistakes on the list ? Do we have sufficient volunteers with sufficient legal knowledge to maintain such list ? Maybe this part should be dealt with further on debian-legal. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130106174644.ga19...@master.debian.org
Re: Validity of DFSG #10
On Sat, Jan 05, 2013 at 08:35:00PM +0530, Vasudev Kamath wrote: Just to give a background as part of my NM process me and my AM (intrigeri) started a discussion on ambiguity in DFSG #10 which specifies example of DFSG free license as BSD, GPL and Artistic. The web version of DFSG text at [1] currently provides link to each license name which respectively points to BSD-3-clause, GPL v3 page and Artistic license 1.0 page from perl project. But the text file of social_contract[2] shipped as part of doc-debian package doesn't contain any references to which version of license it is referring to. The text of the DFSG doesn't state which versions of the GPL, BSD and Artistic licenses we consider free. If there is ambiguity in DFSG #10 then it's not about the links on the webpage and the absence of links in the text file shipped in doc-debian, but rather about the room for debate on whether all existing and future versions of GPL, BSD and Artistic licenses would be DFSG-free. In brief Jakub Wilk wanted to get rid of DFSG #10 as it is creating ambiguous situation by pointing to licenses which have multiple variants. I'm not against removing DFSG #10. Mentioning or not mentioning the examples don't change the DFSG themselves if the examples conform to the DFSG. If the DFSG continue to mention examples, then the examples must be unambigiously identified, so that only verified variants and versions are included. In my opinion DFSG #10 is not a guideline but a statement giving example compared to other DFSG's I agree that DFSG #10 is just a list of examples, not really a guideline as the G in DFSG. so even I feel it is better to drop DFSG #10. That is a choice we could make. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130105155358.ga27...@master.debian.org
Re: ditching the official use logo?
On Sat, Oct 13, 2012 at 08:28:18PM -0300, Henrique de Moraes Holschuh wrote: On Sat, 13 Oct 2012, Paul Tagliamonte wrote: How about the attached patch? Looks great to me. Calling it restricted is technically correct, and well, that's the the best kind of correct. I second this (I am on the camp of we need/should keep the restricted logo). I consider this an acceptable compromise. I second the patch (I was in the camp of put the bottle logo in a museum.) As Henrique wrote, the patch is an acceptable compromise. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121014053716.ga...@master.debian.org
Re: ditching the official use logo?
On Mon, Oct 01, 2012 at 12:27:37PM +0200, Stefano Zacchiroli wrote: Note for those who have never looked into this: the official use logo is the one with the bottle. ... My personal take on it is that we should simply ditch it, focusing on a single logo (the open use one) with a DFSG-free license, that we do now have. I don't object against ditching the logo with the bottle. I don't object against keeping it around either. Maybe if people want to keep it around for nostalgic reasons it can be kept available on the website as the former official logo with a nice story about its history or so. Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121001104009.gc3...@master.debian.org
Re: New Debian Maintainer Jose Parella
On Sat, 2007-11-17 at 11:08 +0100, Pierre Habouzit wrote: On Sat, Nov 17, 2007 at 02:46:12AM +, Aníbal Monsalve Salazar wrote: Recommended-By: David Moreno Garza [EMAIL PROTECTED] Changed-By: Anibal Monsalve Salazar [EMAIL PROTECTED] Huh ? So now even new DM team members are unannounced ? Or did I missed the list where the new DM keyring admin was discussed ? http://www.debian.org/vote/2007/vote_003 It will be initially maintained by: (...) Commit access will also be provided to others in Debian with similar roles (...) These people will initially be: (...) The team will be known as the Debian Maintainer Keyring team. Changes to the team may be made by the DPL under the normal rules for delegations. So the GR text doesn't seem to require a public discussion nor a public announcement. Regards, Bart Martens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Linux for a school
On Thu, 2007-11-08 at 09:54 +0200, [EMAIL PROTECTED] wrote: Good day, We are currenly upgrading our school PC's form Windows to Linux. Is it possible that someone can send us a copy of debian linux? Thanks for choosing Debian GNU/Linux. Good choice. :) The fastest way to get Debian GNU/Linux is documented here: http://www.debian.org/distrib/ There are also vendors in South Africa listed: http://www.debian.org/CD/vendors/#za Hope this helps, Bart Martens Regards, PNJ IT Solutions for Vaalpark High School. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: call for seconds - request for removal of DM registrations
On Sun, 2007-10-28 at 09:22 +0100, Bart Martens wrote: Dear DD's, I think that Joerg was very reasonable with this message: http://lists.debian.org/debian-project/2007/10/msg00115.html The debate that followed doesn't seem to lead to a solution that makes the existing DM registrations conform the the rules of the voted GR. Multiple DD's have failed to convince the involved DM keyring maintainers about the importance of following the rules of the voted GR from the start. Therefor, in the interest of respect for voted GR's, and in the interest of trust in the DM keyring being introduced, I regret to see no other option for the time being than to request this: I hereby request the immediate removal of all DM registrations in the DM keyring that got added to the DM keyring without following the rules of the voted GR. I hereby cancel this request, because the missing messages [0] for the three DM registrations have now been posted on the public mailing lists. http://lists.debian.org/debian-project/2007/10/msg00115.html Regards, Bart Martens I hereby call for other DD's to second this request in a signed message so that our request conforms to this part of the GR rules: The initial policy is that removals from the keyring will occur under any of the following circumstances: multiple Debian developers have requested the individual's removal for good reason, such as http://www.debian.org/vote/2007/vote_003 Regards, Bart Martens signature.asc Description: This is a digitally signed message part
Re: Debian Maintainers
On Sun, 2007-10-28 at 11:04 +1000, Anthony Towns wrote: On Fri, Oct 26, 2007 at 09:55:57AM +0200, Bart Martens wrote: I'm sure that the intentions are good, but Joerg has a point about these three DM's. Maybe it is better to replace these three DM registrations in the DM keyring by three artificial DM's owned by DD's. I don't think having dummy uploads introducing made up names into Uploaders fields is a great idea, The point is that three real non-DD's got upload rights via the DM keyring without following the rules of the GR. and limiting testing to DDs means you don't get reports of things that are obvious to DDs but aren't for people who've never uploaded before. That might be a disadvantage, but that doesn't change the fact that the point is ... see above. I don't think any solution short of revert the GR entirely would stop those complaints -- I'm not requesting to revert the GR entirely. The point is ... see above. and in turn is why they're correlated with the original votes. Even if such correlation would exist (*), then still the point is ... see above. (*): I voted further discussion at the time, and now that the GR got accepted, I have offered my help to do beta-testing of the DM-infra. I don't see any amusement in reading that I would be one of those who find fault with this no matter what happens. Regards, Bart Martens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: call for seconds - request for removal of DM registrations
On Sun, 2007-10-28 at 09:38 +0100, Raphael Hertzog wrote: Don't you have anything better to do than to try to escalate the situation? I'll read that as a rethoric question. What are the good reasons to remove those maintainers? The good reasons for requesting the removal of inappropriate additions to the DM keyring are - respect for voted GR's, - trust in the DM keyring being introduced. Didn't I already write that somewhere? :) I'm sorry you have to find your good reasons in the work of the DM that you want to remove We all know that this is not about the work of the DM candidates. and not in the DM keyring maintenance team. I'm not blaming the DM keyring maintenance team for having a different view on the liberties that come with being a member of the DM keyring maintenance team. Regards, Bart Martens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Maintainers
On Sun, 2007-10-28 at 10:15 +0100, Michael Banck wrote: Hi, On Fri, Oct 26, 2007 at 03:42:02PM +0200, Pierre Habouzit wrote: When a new NM gains upload rights (and becomes a DD), there is a mail on -newmaint. And it's like that for years. But not since the beginning of adding DDs to the project, it was introduced later on. It surely makes a lot of sense to do so, but I don't see it as an categoric requirement during beta-testing. Beta-testing is good. But granting non-DD's upload rights requires following the rules of the voted GR. It's also made public on nm.debian.org, for everyone to see and watch. I expect at least the same degree of informations to be available for DDs. I expect that as well, and as soon as DM starts officially and is out of beta. That would be more than I expect in short term. I think that it is OK to officially start using the DM keyring before all documentation and tools are ready. As long as granting upload rights to non-DD's is done following the rules of the voted GR. Regards, Bart Martens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: call for seconds - request for removal of DM registrations
On Sun, 2007-10-28 at 14:57 +0200, Kalle Kivimaa wrote: Bart Martens [EMAIL PROTECTED] writes: The good reasons for requesting the removal of inappropriate additions to the DM keyring are Why is it better to introduce more work for the DM Keyring team than ask a simple apology? Granting upload rights to non-DD's bypassing the voted procedures is not solved by an apology but by completing the remaining formal steps for the DM applications or by removing the DM registrations for as long as the remaining steps are not yet completed. No need for an apology, because it is OK to have a different view on the liberties that come with being a member of the DM keyring maintenance team, and because I'm convinced that all was done with good intentions. Also, you are aware that even if multiple DD's do second your request, it is entirely up to the DM Keyring team if they agree with you that this is a good reason for removal? So, you might end up with accomplishing nothing. I haven't read the GR text that way, but let's hope that it doesn't escalate to that level. Regards, Bart Martens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Maintainers
On Thu, 2007-10-25 at 22:38 -0400, Joey Hess wrote: DM is not fully implemented yet. AIUI, aj is still adding support in DAK to auto-accept the byhand keyring -- but only if it was uploaded by a member of the DM keyring team. He may also still have some more tests of the whole system, I'm not sure. I think it's not unreasonable to defer announcements of additions to the keyring until we've finished putting into place the system to manage and use the keyring. Yes, that is a good reason to defer announcements. The current 3 people in the DM keyring agreed to be beta testers of the process, and I don't anticipate us adding more people until everything is fully implemented and tested. I'm sure that the intentions are good, but Joerg has a point about these three DM's. Maybe it is better to replace these three DM registrations in the DM keyring by three artificial DM's owned by DD's. Then nobody can complain about real DM's already being added without following the rules. I'm willing to help if you're interested. http://knars.be/bartm/DM/DM_beta_test_bartm_pubkey.asc I guess that it's not so difficult to find two other volunteering DD's. Right ? :) Regards, Bart Martens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Maintainers
On Fri, 2007-10-26 at 09:55 +0200, Bart Martens wrote: On Thu, 2007-10-25 at 22:38 -0400, Joey Hess wrote: The current 3 people in the DM keyring agreed to be beta testers of the process, and I don't anticipate us adding more people until everything is fully implemented and tested. I'm sure that the intentions are good, but Joerg has a point about these three DM's. Maybe it is better to replace these three DM registrations in the DM keyring by three artificial DM's owned by DD's. Then nobody can complain about real DM's already being added without following the rules. I'm willing to help if you're interested. http://knars.be/bartm/DM/DM_beta_test_bartm_pubkey.asc I guess that it's not so difficult to find two other volunteering DD's. Right ? :) For the record, joeyh rejected my offer to help via IRC. The entire DM procedure can be put in place and can be thoroughly tested while respecting the rules of the recently voted GR. I don't understand why joeyh doesn't want me to help to make the ongoing effort conform to the voted GR. Other DD's joining my concern? Regards, Bart Martens signature.asc Description: This is a digitally signed message part
Re: Debian Maintainers
On Fri, 2007-10-26 at 11:49 +0200, Joerg Jaspert wrote: On 11184 March 1977, Joey Hess wrote: BTW, I hope that Joerg realises that according to the GR, he's a member of the Debian Maintainer Keyring team, and thus just as responsible for slavishly following its rules as me and aj, and thus is presumably just as responsible if a rule was missed. ;-P (Perhaps his mail is an attempt to take that responsability, but that's not the tone I take away from his Please follow your own rules. Thanks.) Well. Do you want me to remove the 3 people from the keyring? I would not object against that, because it is perfectly possible to install and thorougly test the DM infrastructure in a way that conforms to the recently voted GR. Because that would be my action then. But thats no action that helps in any way, thats why Im not doing it. Well, that's why I offered my help to joeyh. :) IMO the whole GR is just wrong, Hmm... let's not go into that. :) but that doesnt mean we should ignore whats written in it. Yes, the voted GR must be respected, or we could as well stop voting GR's. Regards, Bart Martens signature.asc Description: This is a digitally signed message part
Re: please
On Wed, 2007-06-06 at 10:06 +0200, walter wrote: I've lost a lot of time and plastic trying to download your dvds, cds. All corrupt. It seems you or somebody else don't want people know about your distro. What were the problems you experienced ? Regards, Bart Martens signature.asc Description: This is a digitally signed message part
wrong list (Re: Install KDE Language Package Problam)
On Mon, 2007-04-30 at 21:55 +0800, Wayne wrote: Dear Debian Group My English is so bad, so i want to install kde-i18n-zhtw language package but, i use apt-get install kde-i18n-zhtw command, that say No found i also use the command apt-get search kde-i18n-zhtw, that say E:Invaild operation search I'm using Debian 4.0-KDE Pls help Thanks Wayne Please ask this question on this mailing list: http://lists.debian.org/debian-user/ Other mailing lists for Debian users: http://lists.debian.org/users.html Other ways to find support: http://www.debian.org/support Regards, Bart Martens signature.asc Description: This is a digitally signed message part
stable / backports (Re: When Debian 4.1 will arrive... will anyone care?)
On Fri, 2007-04-20 at 15:17 +1000, Craig Sanders wrote: contrary to popular belief and self-delusion, 'stable+backports' is NO LONGER STABLE. That is of course true. the only 'advantage' to using 'stable+backports' over 'stable+some packages from unstable or testing' is that you don't have that nasty label 'unstable'.(...) IMO, if you need a 'stable' system with some newer packages, you're better off learning how apt's pinning stuff works than bothering with backports. it's not hard. Backports are recompiled packages from testing, so they will run without new libraries on a stable Debian distribution. It is not always possible to install a package from testing without pulling in lots more packages from testing. But, as you know, stable+testing is no longer stable either. :) to get that crucially important 'benefit', you're using packages from a repository with unsigned packages by unknown maintainers. Last time I checked, only DD's can upload to backports. But it is correct that anyone can create a package for backports, and ask a DD-sponsor to upload to backports, without consulting the maintainer of the package in testing. So this seems similar to an NMU. That introduces a slight risk that some details might be overlooked. Anyhow, I think that the discussion is about getting newer upstream releases into stable sooner. The backports project is an interesting approach, because it makes newer upstream releases available to stable users, without putting these packages in the Debian stable repository. Somehow I think that the stable-ness of Debian stable is one of the strong assets of the Debian project, so policy about how stable a package in stable should be, should not be changed too sudden. A gentle transition to any direction should be OK, as the project should be allowed to evolve. Let's not confuse this with getting the packages in unstable/testing updated to the newest upstream releases some time before the next freeze preparing the next stable release. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
updates in stable do happen
On Wed, 2007-04-11 at 10:34 +0900, Charles Plessy wrote: that nothing will happen anymore in Debian stable in the next 24 months. That is sooo not true. Please see the sections News and Security Advisories on this page [1]. This is far from nothing. If you feel that some packages in stable need an update, then you are very welcome to suggest an update by following the procedure described here [2]. [1]: http://www.debian.org/ [2]: http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-upload-stable Regards, Bart Martens signature.asc Description: This is a digitally signed message part
Re: ideas....
Hi John, On Fri, 2007-04-06 at 20:43 +0100, John Watson wrote: 1) I just find that releases are being delayed due to the obsession with security. I prefer the Debian project to continue to focus on quality and security to keep this wonderful volunteer-run GNU/Linux distribution suitable for business use. If Microsoft was Debian then Microsoft would only be releasing Windows XP now, understanding security and reliability is important however there needs to be a cut off point. Closed-source software can hide insecure parts. I would suggest having two releases of Debian, one really stable which could be released every 2 years, another one stable released every 6 months That is more or less what already happens. http://www.debian.org/News/2007/20070218 If you feel that some software should be updated in Debian stable, then you are welcome to report a wishlist bug in the BTS pointing to this: http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-upload-stable If someone just wants something newer made available for Debian stable, then he/she can use and contribute to the Backports project. http://www.backports.org/ by taking a freeze of the current testing distro and spending a month (no more) fixing any major bugs. You're very welcome to help fixing bugs to reduce the freeze period to just one month. :) I personally believe the testing version is as stable as many of the other distros in the market. I normally use the testing version There is a reason why Debian is better than the other distros in the market. :) however when it comes to a release of the stable version, updates on testing are few with a increase temptation to switch to a different distro. I agree with you that some packages are not updated to the newest upstream releases for too long, so you are welcome to notify the packagers by reporting wishlist bugs in the BTS and/or report inactive maintainers to the MIA-team. So those are the ideas, now flame me. No flame please. :) I have not commented in detail on your ideas about how to use money in the project, because I'm just a volunteer interested in showing off how smart I am :) and unfortunately also revealing how much I still can learn. Note that the Debian project is very volunteer-driven, and money is a sensitive subject. For now I prefer to stay out of flamewars about money in Debian, and focus on the interesting parts: the software. Regards, Bart Martens signature.asc Description: This is a digitally signed message part
Re: what to concider during the election of the DPL
On Tue, 2007-03-20 at 00:40 +, MJ Ray wrote: the strongest leader is someone who leads many other strong people to push in the same direction, building consensus. Yes, absolutely. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Proposal: Handling of changelog bug closures in Debian derived distros
Hi Guillem, On Tue, 2006-11-14 at 08:11 +0200, Guillem Jover wrote: Right now there's no clean way for a Debian derivative to close bugs specific to their distro in a changelog entry and then distinguish those from Debian bugs. Yes, for a Debian derivative. I'd like that developers from derivatives would get involved in this discussion Absolutely. It's in the interest of the derivatives. I don't think that the Debian project should lead this discussion. How many derivatives currently automatically parse the changelogs to update their bug tracking systems? Maybe only Ubuntu, I'm not sure. so that we can get a general solution for everyone, A solution for the derivative. Or for multiple derivatives if they agree on using the same solution. I don't think it's a solution for Debian. as I think Debian should be responsible for providing the infrastructure to do that. No, I don't think that Debian is responsible for helping derivatives to automate the updating of the derivatives' bug tracking systems. Don't get me wrong, there's nothing wrong with cooperating with Ubuntu or other derivatives. But I think that joint efforts should make Debian better. If not then I wonder if Debian should do the efforts. So I'd propose to extend the changelog format I have not yet studied your proposal, because I want to get some bugs fixed before etch releases. :) Regards, Bart Martens signature.asc Description: This is a digitally signed message part
Re: Non-DDs right to speak on mailing lists
On Thu, 2006-08-24 at 10:38 +0200, Marc Haber wrote: On Wed, Aug 23, 2006 at 05:39:43PM -0500, Peter Samuelson wrote: He didn't use the [EMAIL PROTECTED] address. It was clear to me that he was speaking as a developer, not as the DPL. But he has repeatedly suggested when speaking as a developer that non-DDs are kind of a second-class speaker on Debian mailing lists. In my opinion, he is dead wrong on this track and I frown upon him making these suggestions. In my opinion, all people are equal in technical and political discussions. Non-DDs provide valueable input and I hate the idea of discouraging them from participating in Debian's discussion media. They can't vote, and that's OK in my opinion, so they are somewhat less heard in Debian anyway. Please, non-DDs, don't let yourself be discouraged and demotivated by the individual who happens to wear the DPL hat when he is not discouraging and demotivating. I'm a non-DD. Non-DD's do have the right to speak on mailing lists marked with not moderated; posting is allowed by anyone. I accept the fact that non-DD's have no decision rights in the Debian project, simply because non-DD's are not part of the decision making structure. I don't feel discouraged nor demotivated from participating in Debian's discussion media. I'm convinced that good input from non-DD's is used by DD's, and I'm flattered that I'm allowed to maintain a few packages. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 signature.asc Description: This is a digitally signed message part