Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
Philip Hands writes ("Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)"): > Until now I've tended to be irritated by the way courts do that, but > suddenly I have more of an understanding of why they do ;-) > > Having someone that is familiar with court processes on the TC might > help. I don't know if any of the current batch have a legal background. While I'm a successful litigant, but I have no formal training. But you can see a lot from reading judgements. > I wonder how long it would be before people start acting as advocates to > guide others though our increasingly arcane rules -- that might actually > work quite well though. Perhaps we'd have a better process if someone > not involved in the dispute acted as champion for each party, so that > even timid folk could be confident that the person they were dealing > with was on their side. That might well help. > > It would also help if third parties kept their rants to a minimum. > > I'm not sure what sanction we could enforce for contempt of TC ;-) The TC ought to be able to block someone from posting to its mailing list (and to bugs in the TC's purview). Ian. -- Ian JacksonThese opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
Scott Kitterman writes: > On Monday, December 12, 2016 01:16:49 PM Ian Jackson wrote: >> Scott Kitterman writes ("Re: Formal declaration of weak package ownership in > source packages (was: Replace the TC power to depose maintainers)"): >> > If anyone can unilaterally add themselves as maintainer (to pick one >> > proposal as an example) and make intrusive package changes (since >> > they are a maintainer), there's really no maintainer at all. >> >> I was suggesting this only for the situtation where there is only one >> maintainer. > > I know, but once it's one, then it will be two, because reasons. > >> > I do sense a general trend of the conversation towards the idea of >> > undermining package maintainership. Push to hard in that direction >> > and you get revert wars and even larger chunks of the archive left >> > to rot. >> >> I think we have a problem that a few maintainers are unresponsive to >> external corrective input, or uncommunicative (except to block). I >> don't think our systems for dealing with such situations are any good. >> It mostly seems to involve having a conversation (necessarily) full of >> personal attacks, on the TC list. > > I agree the current system isn't working, but I think if you optimize for > these relatively rare hard cases, you'll do more harm than good. I have to agree: my thought on this was that hard cases make bad law. The thing that comes to mind from my experience would be the request to enable ssh -c none (which turns off crypto, giving better speed in exchange for exposing private key material to the net, and only meant for testing). Some people were _very_ keen on this idea indeed. The related bug (#13389) doesn't really give the full impression. Of course times are quite different, and it would be a very brave person who would now try to unilaterally join debian-ssh and upload a patched package, but I imagine there are other security sensitive packages being quietly and carefully maintained by someone that doesn't realise that they're giving a public impression of inactivity. > In line with some other recent comments (I think on this list, I lose track), > I think if the TC were a bit more aggressive about requiring people with > issues they want the TC to address to put them in neutral technical terms > (the U.S. legal parallel would be roughly case dismissed for failure to make > a > justiciable claim [1]) before they will consider them, the existing process > could work in a less painful way. Until now I've tended to be irritated by the way courts do that, but suddenly I have more of an understanding of why they do ;-) Having someone that is familiar with court processes on the TC might help. I don't know if any of the current batch have a legal background. I wonder how long it would be before people start acting as advocates to guide others though our increasingly arcane rules -- that might actually work quite well though. Perhaps we'd have a better process if someone not involved in the dispute acted as champion for each party, so that even timid folk could be confident that the person they were dealing with was on their side. > It would also help if third parties kept their rants to a minimum. I'm not sure what sanction we could enforce for contempt of TC ;-) Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg,GERMANY signature.asc Description: PGP signature
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
On Monday, December 12, 2016 01:16:49 PM Ian Jackson wrote: > Scott Kitterman writes ("Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)"): > > If anyone can unilaterally add themselves as maintainer (to pick one > > proposal as an example) and make intrusive package changes (since > > they are a maintainer), there's really no maintainer at all. > > I was suggesting this only for the situtation where there is only one > maintainer. I know, but once it's one, then it will be two, because reasons. > > I do sense a general trend of the conversation towards the idea of > > undermining package maintainership. Push to hard in that direction > > and you get revert wars and even larger chunks of the archive left > > to rot. > > I think we have a problem that a few maintainers are unresponsive to > external corrective input, or uncommunicative (except to block). I > don't think our systems for dealing with such situations are any good. > It mostly seems to involve having a conversation (necessarily) full of > personal attacks, on the TC list. I agree the current system isn't working, but I think if you optimize for these relatively rare hard cases, you'll do more harm than good. In line with some other recent comments (I think on this list, I lose track), I think if the TC were a bit more aggressive about requiring people with issues they want the TC to address to put them in neutral technical terms (the U.S. legal parallel would be roughly case dismissed for failure to make a justiciable claim [1]) before they will consider them, the existing process could work in a less painful way. It would also help if third parties kept their rants to a minimum. Scott K [1] http://legal-dictionary.thefreedictionary.com/justiciable
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
Scott Kitterman writes ("Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)"): > If anyone can unilaterally add themselves as maintainer (to pick one > proposal as an example) and make intrusive package changes (since > they are a maintainer), there's really no maintainer at all. I was suggesting this only for the situtation where there is only one maintainer. > I do sense a general trend of the conversation towards the idea of > undermining package maintainership. Push to hard in that direction > and you get revert wars and even larger chunks of the archive left > to rot. I think we have a problem that a few maintainers are unresponsive to external corrective input, or uncommunicative (except to block). I don't think our systems for dealing with such situations are any good. It mostly seems to involve having a conversation (necessarily) full of personal attacks, on the TC list. Ian. -- Ian JacksonThese opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
On December 11, 2016 8:50:19 PM EST, Ian Jackson wrote: >Scott Kitterman writes ("Re: Formal declaration of weak package >ownership in source packages (was: Replace the TC power to depose >maintainers)"): >> These changes will require, at the very least, policy changes. We >> have a process for that. >> >> Unless this thing is somehow opt-in only, be prepared for a GR >overriding it. > >It might be best to do it via a GR anyway. > >> P. S. In case you wonder how maintainerless works, go look at the >dusty corners of the Ubuntu archive. > >I'm not in favour of abolishing amintainership. > >You don't explicitly say so but I get the impression from your mail >that you think what I am suggesting is a bad idea. I've read your >other messages in this thread and they have significantly influenced >my thinking. So perhaps I have misunderstood you. You may not think you are, but I believe that is the net effect. If anyone can unilaterally add themselves as maintainer (to pick one proposal as an example) and make intrusive package changes (since they are a maintainer), there's really no maintainer at all. Being maintainer means having responsibility for a package. If anyone can add themselves as maintainer, then you've turned being maintainer into a position with responsibility, but no authority. That's a recipe for disaster. I confess to a difficulty keeping all the threads straight, so this might not be one of your proposals at all. I do sense a general trend of the conversation towards the idea of undermining package maintainership. Push to hard in that direction and you get revert wars and even larger chunks of the archive left to rot. I think there are plenty of DDs who would find having their ability to control their packages taken away demotivating. I don't see a crowd of new contributors just waiting to not have to deal with a maintainer to get involved in Debian development. Running off or demotivating the people we have isn't a great way to make a better operating system. Scott K
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
Scott Kitterman writes ("Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)"): > These changes will require, at the very least, policy changes. We > have a process for that. > > Unless this thing is somehow opt-in only, be prepared for a GR overriding it. It might be best to do it via a GR anyway. > P. S. In case you wonder how maintainerless works, go look at the dusty > corners of the Ubuntu archive. I'm not in favour of abolishing amintainership. You don't explicitly say so but I get the impression from your mail that you think what I am suggesting is a bad idea. I've read your other messages in this thread and they have significantly influenced my thinking. So perhaps I have misunderstood you. Ian. -- Ian JacksonThese opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
On December 11, 2016 8:25:05 PM EST, Ian Jackson wrote: >Enrico Zini writes ("Re: Formal declaration of weak package ownership >in source packages (was: Replace the TC power to depose maintainers)"): >> On Tue, Dec 06, 2016 at 03:42:57PM +, Ian Jackson wrote: >> > > It's a lot simpler to keep this metadata outside source package. >> > I endorse this product and/or service. >> >> Here's one way to quickly build a service like this: > >Great, thanks for the technical tips. > >What's needed to make this actually happen ? > >I think the initial proposal is simply to move the metadata currently >in Maintainers and Uploaders into a database which is separate from >the archive. > >I guess the initial UI would mirror the existing "DD authority" >process. > >Who in the project can decide to do this ? I think this is probably >the DPL. > >After that, we will probably want to further develop the UI and the >maintainership accession flow. > >For example, my suggestion of having a "request to join team" button >but allowing any DD to add themselves as a Maintainer of a >solo-maintained package. Presumably there would have to be a way for >the MIA team to mark someone as "maintainer emeritus" (ie, used to be >a maintainer). > >Who would make these UI decisions ? These changes will require, at the very least, policy changes. We have a process for that. Unless this thing is somehow opt-in only, be prepared for a GR overriding it. Scott K P. S. In case you wonder how maintainerless works, go look at the dusty corners of the Ubuntu archive.
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
Enrico Zini writes ("Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)"): > On Tue, Dec 06, 2016 at 03:42:57PM +, Ian Jackson wrote: > > > It's a lot simpler to keep this metadata outside source package. > > I endorse this product and/or service. > > Here's one way to quickly build a service like this: Great, thanks for the technical tips. What's needed to make this actually happen ? I think the initial proposal is simply to move the metadata currently in Maintainers and Uploaders into a database which is separate from the archive. I guess the initial UI would mirror the existing "DD authority" process. Who in the project can decide to do this ? I think this is probably the DPL. After that, we will probably want to further develop the UI and the maintainership accession flow. For example, my suggestion of having a "request to join team" button but allowing any DD to add themselves as a Maintainer of a solo-maintained package. Presumably there would have to be a way for the MIA team to mark someone as "maintainer emeritus" (ie, used to be a maintainer). Who would make these UI decisions ? Ian. -- Ian JacksonThese opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
On Tue, Dec 06, 2016 at 03:42:57PM +, Ian Jackson wrote: > > It's a lot simpler to keep this metadata outside source package. > I endorse this product and/or service. Here's one way to quickly build a service like this: - Configure the web server to accept Debian's SSO credentials: https://wiki.debian.org/DebianSingleSignOn#Documentation_for_web_application_owners - Set up a Django site using RemoteUserMiddleware, but trusting SSL_CLIENT_S_DN_CN instead of REMOTE_USER: https://docs.djangoproject.com/en/1.10/howto/auth-remote-user/ (see the CustomHeaderMiddleware example) - Create the model and CRUD pages for the extra info you want to maintain about developers, with ForeignKey to django.contrib.auth.get_user_model() - Export your data with django-rest-framework Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini signature.asc Description: PGP signature
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
* Adam Borowski [161206 10:10]: > On Tue, Dec 06, 2016 at 09:18:49AM +0100, Johannes Schauer wrote: > > What I currently find inconvenient about the LowThresholdNmu page is, that > > it > > is external to the source package. So after having found a package I want to > > fix I have to manually look up on that wiki page whether the maintainer is > > fine > > with NMUs and if it applies to the source package at hand. > > I wouldn't even think of making a NMU without looking at the PTS, and that > page states "LowNMU" right to the maintainer's name. Note that this indication is just that, an indication. Various maintainers have exceptions to which packages the LowNMU threshold applies, but the PTS does not understand that. Many maintainers also say something like "check with co-maintainers" and then you end up in a circle, where all co-maintainers have that exception listed ... -- christian hofstaedtler
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
Lars Wirzenius writes ("Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)"): > For example, there's corner cases that get tricky. A package might > only be in stable, but the maintainer wants to declare it as > LowThresholdAdoptable. That would require an upload to unstable only > to change that bit of metadata. Or Debian might be in a freeze, and > uploading a new package version would be frowned upon. > > It's a lot simpler to keep this metadata outside source package. I endorse this product and/or service. Ian. -- Ian JacksonThese opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
On Tue, Dec 06, 2016 at 04:15:22PM +0100, Johannes Schauer wrote: > why would it be important to change that kind of information for a package in > stable? The audience interested in this field is interested in uploads to > unstable, so is it not sufficient if the information is up-to-date there? no, it's a long standing problem: users look at packages in stable, so it would be good to update the maintainer fields in stable too, without going through reviewed uploads… > What do you think? Lars' desire to have maintainer information easily changable in stable is not related to this thread. :) -- cheers, Holger signature.asc Description: Digital signature
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
On Tue, Dec 06, 2016 at 04:15:22PM +0100, Johannes Schauer wrote: > why would it be important to change that kind of information for a package in > stable? The audience interested in this field is interested in uploads to > unstable, so is it not sufficient if the information is up-to-date there? For example, there's corner cases that get tricky. A package might only be in stable, but the maintainer wants to declare it as LowThresholdAdoptable. That would require an upload to unstable only to change that bit of metadata. Or Debian might be in a freeze, and uploading a new package version would be frowned upon. It's a lot simpler to keep this metadata outside source package. -- I want to build worthwhile things that might last. --joeyh signature.asc Description: PGP signature
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
Hi, Quoting Lars Wirzenius (2016-12-06 16:06:30) > On Tue, Dec 06, 2016 at 03:50:12PM +0100, Johannes Schauer wrote: > > Actually, this is a great argument for why this information should be in a > > deb822 field in the source package itself. > > FWIW, I think this is the kind of information that should be kept out > of the source package, since changing it would require an upload and > that's not going to happen for stable. I'd prefer such information be > kept somewhere it's easy to change. why would it be important to change that kind of information for a package in stable? The audience interested in this field is interested in uploads to unstable, so is it not sufficient if the information is up-to-date there? If you want to make a change to stable, then you have to go through the stable release team anyways first. What do you think? cheers, josch signature.asc Description: signature
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
On Tue, Dec 06, 2016 at 03:50:12PM +0100, Johannes Schauer wrote: > Actually, this is a great argument for why this information should be in a > deb822 field in the source package itself. FWIW, I think this is the kind of information that should be kept out of the source package, since changing it would require an upload and that's not going to happen for stable. I'd prefer such information be kept somewhere it's easy to change. -- I want to build worthwhile things that might last. --joeyh signature.asc Description: PGP signature
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
Hi, Quoting Holger Levsen (2016-12-06 15:15:53) > On Tue, Dec 06, 2016 at 03:08:54PM +0100, Adam Borowski wrote: > > > https://tracker.debian.org/pkg/multistrap > > I see that https://wiki.debian.org/LowThresholdNmu lists you as > > [[JohannesSchauer|Johannes 'josch' Schauer]] while the maintainer field is > > Johannes Schauer , that obviously breaks a string match. > > the email on the wiki page is also a different one… maybe whoever implemented or understands the algorithm that is used by the PTS to parse the wiki page should precisely explain the conditions used for the matching in said wiki page? Right now I do not see any way to verify whether an entry in the wiki page is actually properly formatted. The fact that I didn't know that there were consumers like the PTS which expect a certain formatting explains why I didn't take great care when I inserted my name into the list. So maybe the wiki page could also get a list of machine consumers at the top? Actually, this is a great argument for why this information should be in a deb822 field in the source package itself. Thanks! cheers, josch signature.asc Description: signature
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
On Tue, Dec 06, 2016 at 03:08:54PM +0100, Adam Borowski wrote: > > https://tracker.debian.org/pkg/multistrap > I see that https://wiki.debian.org/LowThresholdNmu lists you as > [[JohannesSchauer|Johannes 'josch' Schauer]] while the maintainer field is > Johannes Schauer , that obviously breaks a string match. the email on the wiki page is also a different one… -- cheers, Holger signature.asc Description: Digital signature
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
On Tue, Dec 06, 2016 at 02:55:57PM +0100, Johannes Schauer wrote: > Quoting Adam Borowski (2016-12-06 09:36:08) > > On Tue, Dec 06, 2016 at 09:18:49AM +0100, Johannes Schauer wrote: > > > What I currently find inconvenient about the LowThresholdNmu page is, > > > that it > > > is external to the source package. So after having found a package I want > > > to > > > fix I have to manually look up on that wiki page whether the maintainer > > > is fine > > > with NMUs and if it applies to the source package at hand. > > > > I wouldn't even think of making a NMU without looking at the PTS, and that > > page states "LowNMU" right to the maintainer's name. > > cool! That's really helpful! Can we also have that being displayed in the bts > where people are usually coming from if they want to fix a bug? > > Unfortunately, I don't see where it says LowNMU in the pts. For example if I > look at my package multistrap, the string LowNMU occurs nowhere: > > https://tracker.debian.org/pkg/multistrap I see that https://wiki.debian.org/LowThresholdNmu lists you as [[JohannesSchauer|Johannes 'josch' Schauer]] while the maintainer field is Johannes Schauer , that obviously breaks a string match. Wookey isn't recognized either, the tool might want a space or something. -- u-boot problems can be solved with the help of your old SCSI manuals, the parts that deal with goat termination. You need a black-handled knife, and an appropriate set of candles (number and color matters). Or was it a silver-handled knife? Crap, need to look that up.
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
Hi, Quoting Adam Borowski (2016-12-06 09:36:08) > On Tue, Dec 06, 2016 at 09:18:49AM +0100, Johannes Schauer wrote: > > What I currently find inconvenient about the LowThresholdNmu page is, that > > it > > is external to the source package. So after having found a package I want to > > fix I have to manually look up on that wiki page whether the maintainer is > > fine > > with NMUs and if it applies to the source package at hand. > > I wouldn't even think of making a NMU without looking at the PTS, and that > page states "LowNMU" right to the maintainer's name. cool! That's really helpful! Can we also have that being displayed in the bts where people are usually coming from if they want to fix a bug? Unfortunately, I don't see where it says LowNMU in the pts. For example if I look at my package multistrap, the string LowNMU occurs nowhere: https://tracker.debian.org/pkg/multistrap Thanks! cheers, josch signature.asc Description: signature
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
Johannes Schauer writes ("Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)"): > I think the thread has derailed here a little bit but I think that > Lars and Tollef are aware that their proposals are orthogonal to the > problem you brought up in your original message. I think this > sub-thread is now about how to change the culture in Debian to one > where we are (even more) more encouraging towards weak-ownership of > packages. I took the liberty to adjust the subject line accordingly. I (obviously) don't object to this. But I would still like to see an answer to the problem I originally posed. Ian. -- Ian JacksonThese opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
Re: Formal declaration of weak package ownership in source packages (was: Replace the TC power to depose maintainers)
On Tue, Dec 06, 2016 at 09:18:49AM +0100, Johannes Schauer wrote: > What I currently find inconvenient about the LowThresholdNmu page is, that it > is external to the source package. So after having found a package I want to > fix I have to manually look up on that wiki page whether the maintainer is > fine > with NMUs and if it applies to the source package at hand. I wouldn't even think of making a NMU without looking at the PTS, and that page states "LowNMU" right to the maintainer's name. -- u-boot problems can be solved with the help of your old SCSI manuals, the parts that deal with goat termination. You need a black-handled knife, and an appropriate set of candles (number and color matters). Or was it a silver-handled knife? Crap, need to look that up.