[Pkg-javascript-devel] RFS: node-is-obj
Hi, I have prepared the node-is-obj package for closing ITP:850131 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850131) It is lintian clean and tested with pbuilder on sid. I've added the package to the git repo at https://git.fosscommunity.in/gauravjuvekar/node-is-obj Please review and upload it. -- Regards, Gaurav Juvekar -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] rfs: has-unicode
Following is the link to my git repository https://git.fosscommunity.in/yogirajkulkarni/has-unicode/tree/master On Fri, Jan 6, 2017 at 12:20 PM, Yogiraj Kulkarni < yogirajkulkarni1...@gmail.com> wrote: > I have packaged "has-unicode". I have made it lintian-clean and tested > using sbuilt. > -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] rfs: node-aws4
I have packaged the module aws4 and lintian clean it. I have also tested it with sbuild. Following is my repository on git.fosscommunity.in : git...@git.fosscommunity.in:Vinaydp/aws4.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] rfs: has-unicode
I have packaged "has-unicode". I have made it lintian-clean and tested using sbuilt. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] rfs:md5-o-matic
I have built 'md5-o-matic' package and I have made it lintian clean. I have tested it using 'sbuild'. I want to maintain it in future. I have pushed it to git.fosscommunity.in. So I kindly request you to grant me access. Thank you. P.S.: The link to my project is: https://git.fosscommunity.in/abhishek/md5-o-matic -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] rfs: tweetnacl
I have built 'tweetnacl package' and i have made it lintian clean. I have tested it using 'sbuild'. The have pushed the package to git.fosscommunity.in. The link to the project is: https://git.fosscommunity.in/yashashree/tweetnacl. I want to maintain the package in future. So I kindly request you to grant me access. Thank You. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 10:20 വൈകു, Ximin Luo wrote: > Let's please talk about the specifics of this situation rather than appealing > to vague notions of being welcoming. > > It's my experience that events like these do not generally result in > long-term maintainers. Yes, I am indeed treating them as "inactive" before > they have already joined, based on what I have seen of related events. So I > propose some reasonable checks, to ensure that we get people who are > interested. I disagree that this attitude is flawed. > > I didn't propose a similar check for previous incoming contributors because > they did not have a background context of a mass-join event. So it does not > make sense to compare these two situations. > > We totally do validate membership (everywhere, not just this alioth group) > based on how people formulate their requests to join. Vague requests are > generally rejected in most places, and rightly so. > > Having minimum standards of quality is not "hierarchy". All debian processes has been about advocacy and decision by people who have worked with new people. It was never about people who are unaware about the contributions. In this case, being the person who has worked close with them, I should have been the right person to decide. But it seems people who are totally uninformed wants to decide and just want to use their personal prejudice as the single deciding factor. I do not see this as sustainable and I will not approve any more requests in this team. if we, as a team are unable to follow the processes in line with the debian philosophy and spirit, I will remove myself as an admin from this team. I will not import any of these repos to alioth. Someone who relish authority and elitism has to do the extra work. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 10:20 വൈകു, Ximin Luo wrote: > Let's please talk about the specifics of this situation rather than appealing > to vague notions of being welcoming. This is completely arbitrary restriction. I was thinking we evaluate people based on what they have done, rather than when and where they have done it. I don't agree with this notion. > It's my experience that events like these do not generally result in > long-term maintainers. Yes, I am indeed treating them as "inactive" before > they have already joined, based on what I have seen of related events. So I > propose some reasonable checks, to ensure that we get people who are > interested. I disagree that this attitude is flawed. This is pure prejudice based on your personal experience. We should not be basing our standards based on personal prejudice and paint a large number of people with same color. > I didn't propose a similar check for previous incoming contributors because > they did not have a background context of a mass-join event. So it does not > make sense to compare these two situations. Arbitrary and discriminatory. > We totally do validate membership (everywhere, not just this alioth group) > based on how people formulate their requests to join. Vague requests are > generally rejected in most places, and rightly so. > > Having minimum standards of quality is not "hierarchy". I have asked them to push their work to git.fosscommunity.in and send RFS mails to this list. Those who institute such bureaucracy should also volunteer to import these repos to alioth. I do not want to be forced to do extra work. Other option would have been using mentors.debian.net, but we lose the ability to incorporate their git history (or like now depend on external services). I will also look at possibility of using personal alioth repositories. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processed: limit source to nodejs, tagging 828457
Processing commands for cont...@bugs.debian.org: > limit source nodejs Limiting to bugs with field 'source' containing at least one of 'nodejs' Limit currently set to 'source':'nodejs' > tags 828457 + pending Bug #828457 [src:nodejs] nodejs: FTBFS with openssl 1.1.0 Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 828457: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828457 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Hi, On 05/01/2017 20:39, Jonas Smedegaard wrote: I don't think anyone has suggested or implied forcing anyone to do anything (please help point out if I missed some detail on that!). I meant if they just attended an event, they may have little motivation to actually join any team, so getting in just for the occasion might not be sensible -- neither for them or for the team. Snark on #debian-js -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#850322: npm: CVE-2016-3956
Source: npm Version: 1.4.21+ds-2 Severity: important Tags: upstream security fixed-upstream Forwarded: https://github.com/npm/npm/issues/8380 Hi, the following vulnerability was published for npm. CVE-2016-3956[0]: | The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js | 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before | 5.10.0, includes bearer tokens with arbitrary requests, which allows | remote HTTP servers to obtain sensitive information by reading | Authorization headers. No fix has been made for 1.x versions. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-3956 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3956 [1] https://github.com/npm/npm/issues/8380 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Julien Puydt (2017-01-05 18:41:22) > On 05/01/2017 18:24, Jonas Smedegaard wrote: > > Quoting Ximin Luo (2017-01-05 17:50:00) > >> I propose some reasonable checks, to ensure that we get people who are > >> interested. I disagree that this attitude is flawed. > > > > Thanks. Ximin. > > > > What do others think? > > Until now the discussion seems to have been centered on the Debian > JavaScript Team : should it accept them? Isn't it a security problem to > grant them access? Won't they leave the team out in the cold after > pushing their packages? > > But those are actual people, not just names : are all applicants aware > they are expected to maintain those packages? Are they really interested > in doing so? Do they have any long-term use for an account on alioth? > > I'm for granting them access if they have something to contribute and > they want to join, but I'm againsts forcing them to join to contribute. Thanks! I don't think anyone has suggested or implied forcing anyone to do anything (please help point out if I missed some detail on that!). On the matter of treating newcomers as real people: Approved or not, anyone are free to join this mailinglist ans speak up (e.g. to answer my early question question whether intent is releasing package or maintain, which it is still hanging unanswered!). Anyone else having opinions on the matter? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Hi, On 05/01/2017 18:24, Jonas Smedegaard wrote: Quoting Ximin Luo (2017-01-05 17:50:00) I propose some reasonable checks, to ensure that we get people who are interested. I disagree that this attitude is flawed. Thanks. Ximin. What do others think? Until now the discussion seems to have been centered on the Debian JavaScript Team : should it accept them? Isn't it a security problem to grant them access? Won't they leave the team out in the cold after pushing their packages? But those are actual people, not just names : are all applicants aware they are expected to maintain those packages? Are they really interested in doing so? Do they have any long-term use for an account on alioth? I'm for granting them access if they have something to contribute and they want to join, but I'm againsts forcing them to join to contribute. Cheers, Snark on #debian-js -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Ximin Luo (2017-01-05 17:50:00) > I propose some reasonable checks, to ensure that we get people who are > interested. I disagree that this attitude is flawed. Thanks. Ximin. What do others think? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-lodash 4.16.6+dfsg-2 MIGRATED to testing
FYI: The status of the node-lodash source package in Debian's testing distribution has changed. Previous version: 4.16.6+dfsg-1 Current version: 4.16.6+dfsg-2 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Jonas Smedegaard: > [..] > > I (loudly!) oppose treating not-yet-members as inactive: Improving > security by minimizing activity is a luxury we cannot afford! > > [..] > > Since when did we validate membership based on how they formulated > their requests to join? > > Were you yourself treated with scrutiny when you joined, then I > appologize on behalf of the team, and kindly ask you to not repeat that > flawed attitude towards newcomers. > > or alternatively - if this team generally appraise such attitude, I will > respect that by leaving the team, as I personally appreciate the *lack* > of hierarchy in Debian. > Let's please talk about the specifics of this situation rather than appealing to vague notions of being welcoming. It's my experience that events like these do not generally result in long-term maintainers. Yes, I am indeed treating them as "inactive" before they have already joined, based on what I have seen of related events. So I propose some reasonable checks, to ensure that we get people who are interested. I disagree that this attitude is flawed. I didn't propose a similar check for previous incoming contributors because they did not have a background context of a mass-join event. So it does not make sense to compare these two situations. We totally do validate membership (everywhere, not just this alioth group) based on how people formulate their requests to join. Vague requests are generally rejected in most places, and rightly so. Having minimum standards of quality is not "hierarchy". X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-read 1.0.7-1 MIGRATED to testing
FYI: The status of the node-read source package in Debian's testing distribution has changed. Previous version: 1.0.5-1 Current version: 1.0.7-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-sorted-object 2.0.1-1 MIGRATED to testing
FYI: The status of the node-sorted-object source package in Debian's testing distribution has changed. Previous version: (not in testing) Current version: 2.0.1-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-rx 4.1.0+dfsg1-1 MIGRATED to testing
FYI: The status of the node-rx source package in Debian's testing distribution has changed. Previous version: (not in testing) Current version: 4.1.0+dfsg1-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-command-join 1.1.1-1 MIGRATED to testing
FYI: The status of the node-command-join source package in Debian's testing distribution has changed. Previous version: (not in testing) Current version: 1.1.1-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-mute-stream 0.0.7-1 MIGRATED to testing
FYI: The status of the node-mute-stream source package in Debian's testing distribution has changed. Previous version: 0.0.4-1 Current version: 0.0.7-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-cli-cursor 1.0.2-1 MIGRATED to testing
FYI: The status of the node-cli-cursor source package in Debian's testing distribution has changed. Previous version: (not in testing) Current version: 1.0.2-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Ximin Luo (2017-01-05 16:26:00) > Jonas Smedegaard: > > Quoting Ximin Luo (2017-01-05 13:51:00) > >> > >> [..] > >> > >> The security aspect is just one factor, not the main factor. > > > > Ok, you now tell me that security is not the main factor. > > > > I clearly read your previous email as if security was the main factor > > for rejecting these requests. For clarity of discussion I shall > > *ignore* the security factor. > > > > > >> But to give more detail, (a) just because we have "little" security, > >> doesn't mean we have to make it quantitatively worse, which we will do > >> if we add anyone that asks - it adds surface area. And (b) the > >> standards of time and continual maintenance that I described > >> elsewhere, also indicates that a person is careful about their general > >> computing practices, which also helps to not-reduce security - > >> compared to giving access to a random person. > > > > Do I understand you correctly that in your opinion the main factor is > > devotion to continued mainentance? > > > > I agree it's the main factor, but for me this is also linked to security. > Having lots of inactive people with that level of access increases risk with > no benefit in return. It's better to have fewer active people. (Of course > lots of active people are even better.) I welcome suggestions for how we might identify and maybe even kick inactive users. I won't spend time proposing or defending such procedures myself, as I find no need for them (we use this team only to exchange emails and exchange git repos - each of us is responsible to validate each email and each git repo!!!). I (loudly!) oppose treating not-yet-members as inactive: Improving security by minimizing activity is a luxury we cannot afford! > > If so, then we agree on what is "main factor" - but still we > > disagree on how to then deal with it: > > > > It seems Praveen find it reasonable to approve "because they are > > ready to upload their packages", and it seems you find that exact > > situation reason for rejecting. I find it neither reject nor > > approve reason. > > > > I welcome into this team any and all persons who feel they are ready > > to *maintain* official Debian packages. I find it wrong to impose > > restrictions on that, but I want to emphasize _maintain_ - this team > > is *not* the Javascript *contribution* team (there are other methods > > to contribute to Debian in other ways than continuous mainenance). > > > > This is why I suggested having them apply individually later. I disagree that requiring individual membership requests helps. Some are inspired to join when alone and seeking friends, other are inspired to join when with friends also joining, or when meeting and working concentrated for days with a role model - as I guess might be the case for (some or all of) these applicants. > They can see if they're comfortable with doing this semi-regularly. > Everything is more fun at a group event but this is not the same as > robust long-term maintenance of packages. I sure hope you are telling me how *you* find it fun to collaborate. If you are imposing on me and others in this team the reasons we should find it fun to be here, you are effectively *discouraging* anyone with different personality than yourself. Please embrace variety! > Another issue that I noticed is some of the requests were very vague. > (Other requests were suitably specific.) I hope these are fixed the > next time around. Since most of these javascript packages are very > small, it would also be good to mention more numbers of packages in > these requests. Since when did we validate membership based on how they formulated their requests to join? Were you yourself treated with scrutiny when you joined, then I appologize on behalf of the team, and kindly ask you to not repeat that flawed attitude towards newcomers. or alternatively - if this team generally appraise such attitude, I will respect that by leaving the team, as I personally appreciate the *lack* of hierarchy in Debian. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Paolo Greppi (2017-01-05 15:40:16) > On 05/01/2017 14:00, Pirate Praveen wrote: > > On വ്യാഴം 05 ജനുവരി 2017 06:09 വൈകു, Ximin Luo wrote: > >> This has nothing to do with tools, as Jonas mentioned it is about a > >> continual time dedication to a FOSS project. Please try to understand this. > > Yes, it has a lot to do with our tools. If we were using a git hosting > > tool like gitlab or pagure, we could have reviewed pull requests before > > we grant access to a new contributor. > > > > You can't demand such dedication from a new contributor. Did you sign > > such a commitment before you got access to pkg-javascript team and debian? > > > > What did you mean when you said they can use github.com? Isn't that > > evidence of our lack of tools to bring new people to debian? Why should > > I tell anyone to use a proprietary service to contribute to debian? This > > is something we got to fix. > > When I read this, I became curious about who creates and contributes to repos > in /git/pkg-javascript. Here is what I found out thanks to my paolog-guest > shell access to git.d.o. > > There are 876 subdirs in /git/pkg-javascript, and they were created by 30 > guest accounts and 37 non-guest accounts. A recursive search on all contained > files & subdirs yields a grand total of 33 guest accounts and 46 non-guest > (apparently not many people push to repositories someone else had created). > > For those git repos we are using a setup that the git docs [1] advise for "a > small outfit", but 79 seems more than "few developers" ... For larger teams > they advise gitosis or gitolite; only the latter seems to be an active > project and is packaged as gitolite3. > > My comments: > > - the tools we have are in line with rest of the debian tools (WOT, BTS ...): > CLI, raw and based on trust > > - granting shell access to guests is consistent with that culture > > - but 10 new guest accounts added to the pkg-javascript team in one > shot is a lot (+30%); also mass requests to join the team sound like > spamming (but that's clearly not the case here !) > > - when I was a student at the uni a long time ago I remember we were > willing to go a long way to please the professors **before** the exam > ;-) > > - if gitolite were installed and configured on moszumanska (git.d.o.), it > would probably be possible to set up access control on select repos for > external "contributors"; "contributor" here is meant in a sense similar to > "debian contributor" idea [2]. > > In conclusion, Debian Contributor is a suitable status for a student > who wants to give it a try during a seminar. If they pass the exam and > **afterwards** out of their free will submit a request to join > pkg-javascript, then the path from contributor to DD is open to them ! Yes, statistics may show how many in this team currently collaborate how much. And yes, Alioth provide us tools to separate our team in multiple classes of members. Do we want to maintain our current level of (lack of) collaboration? Do we want multiple classes of users? I want this team to be equal peers - one class with equal access rights. I want this team to be for maintainers helping each other as time and skills permit. If we should ever reject anyone, then only those who have demonstrated *not* collaborating or *not* maintaining - we should never refuse people based on fear that they will not do so in the future. That's why I ask (but do not demand proof) if these concrete newcomers are able and interested in not only releasing packages but also in maintaining them. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Jonas Smedegaard: > Quoting Ximin Luo (2017-01-05 13:51:00) >> >> [..] >> >> The security aspect is just one factor, not the main factor. > > Ok, you now tell me that security is not the main factor. > > I clearly read your previous email as if security was the main factor > for rejecting these requests. For clarity of discussion I shall > *ignore* the security factor. > > >> But to give more detail, (a) just because we have "little" security, >> doesn't mean we have to make it quantitatively worse, which we will do >> if we add anyone that asks - it adds surface area. And (b) the >> standards of time and continual maintenance that I described >> elsewhere, also indicates that a person is careful about their general >> computing practices, which also helps to not-reduce security - >> compared to giving access to a random person. > > Do I understand you correctly that in your opinion the main factor is > devotion to continued mainentance? > I agree it's the main factor, but for me this is also linked to security. Having lots of inactive people with that level of access increases risk with no benefit in return. It's better to have fewer active people. (Of course lots of active people are even better.) > If so, then we agree on what is "main factor" - but still we disagree on > how to then deal with it: > > It seems Praveen find it reasonable to approve "because they are ready > to upload their packages", and it seems you find that exact situation > reason for rejecting. I find it neither reject nor approve reason. > > I welcome into this team any and all persons who feel they are ready to > *maintain* official Debian packages. I find it wrong to impose > restrictions on that, but I want to emphasize _maintain_ - this team is > *not* the Javascript *contribution* team (there are other methods to > contribute to Debian in other ways than continuous mainenance). > This is why I suggested having them apply individually later. They can see if they're comfortable with doing this semi-regularly. Everything is more fun at a group event but this is not the same as robust long-term maintenance of packages. Another issue that I noticed is some of the requests were very vague. (Other requests were suitably specific.) I hope these are fixed the next time around. Since most of these javascript packages are very small, it would also be good to mention more numbers of packages in these requests. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Pirate Praveen: > On വ്യാഴം 05 ജനുവരി 2017 06:44 വൈകു, Ximin Luo wrote: >> It's normal convention in any organisation or project to temporarily revert >> a change that is controversial. > > ok. > >> Adding 10 new people from an event, every time there is an event, is also >> not sustainable as a team. > > I have organized many packaging workshops over the years. I don't grant > access to any one just because they attended an event. I have granted > them access only because I am convinced they qualify to get this access. > > They learned how to make a package lintian clean, how run a clean build > using sbuild, make patches using quilt, how to repack. They did all this > by themselves on 3-4 packages that was already packaged before they > started with a new package. > OK, thanks for sharing these details, it really helps us to properly discuss this situation. In terms of knowledge, it sounds like they are sufficiently capable. I still think it's better to have them make requests in their own time, instead of all at once. This gives some time for us to read properly their request, and distinguish and remember them as individuals separately from the other people that also want to join. It also gives them some time to practise these things and decide if they really want to continue with it in the long run. I agree with Jonas that this team (and other alioth teams) should be about maintenance, not just contributions. (We can continue on this topic in the other subthread.) >> Please respond to my points (about responsibility, maintenance and events) >> instead of accusing me of "contempt" simply because I disagreed with your >> actions. > > We do not have such rules for accepting a first package or granting them > access to a project. I was only following the convention we have set for > this team. > >> I also don't see why you are making such a fuss. The conditions I described >> (making a request at a later date, individually) are not particularly hard >> to achieve, and helps to confirm their true long-term interest in being a >> team member, to the rest of us that are unsure about these events. > > I make a fuss because you are acting arbitrarily, making up policies and > rules on the go. > I understand. I did not mean to arbitrarily impose anything - reverting their membership was only meant as a temporary measure whilst the discussion is still ongoing. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Pirate Praveen (2017-01-05 14:06:32) > On വ്യാഴം 05 ജനുവരി 2017 06:21 വൈകു, Ximin Luo wrote: > > We don't have hard rules, but we all have our ideas about what is right or > > wrong. For you, it is a question of "are they aware". For me, I explained > > it in my other email, and it roughly overlaps with "are they aware". > > I have accepted their request because I have spent time with them. By > removing people that I have accepted you showed contempt for my > judgment. What authority do you have to remove people from the project > just because they are new? > > Is this how this team want to continue? If I have acted wrongly, then > please remove my admin access as well. But this kind of action is not > sustainable as a team. Please stay, Praveen! Please do not kick out people, Ximin! Please, everyone else (and newcomers in particular): Please feel welcome in the javascript maintainers team when you feel able and interested in *maintaining* official debian javascript-related packages. Let's discuss here. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Ximin Luo (2017-01-05 13:51:00) > Jonas Smedegaard: >> Quoting Ximin Luo (2017-01-05 12:53:00) >>> Pirate Praveen: On വ്യാഴം 05 ജനുവരി 2017 04:22 വൈകു, Jérémy Lal wrote: > This is great, but is this serious ? > Anyone knows what's happening ? [...] I'm taking a packaging workshop at College of Engineering Pune [1]. This is 4th day of the workshop and many have completed their packages and are ready for upload. [...] >>> Hi, please don't add these people. >>> >>> People in the alioth group have read-write access to all >>> pkg-javascript git repos as well as shell access on that machine. >>> >>> I don't think it's right to give this many people, who show up at an >>> event, this level of access without any other requirement. It is too >>> dangerous. [...] >> We do not in this team have any rules for membership that one must >> first prove her worth by packaging outside of Debian, not that they >> must use their spare time doing so! >> >> I am concerned if people requesting to join are fully aware what it is >> they join, which is why I asked about that. But I see nothing wrong >> with approving people we don't know well. > > > > We must recognize that we have little security fencing the assets of > > this team, and treat them accordingly (double-check what you pull, sign > > changes you make, etc.). Making it harder to join this team does *not* > > help secure our assets! > > > > We don't have hard rules, but we all have our ideas about what is > right or wrong. For you, it is a question of "are they aware". For me, > I explained it in my other email, and it roughly overlaps with "are > they aware". > > The security aspect is just one factor, not the main factor. Ok, you now tell me that security is not the main factor. I clearly read your previous email as if security was the main factor for rejecting these requests. For clarity of discussion I shall *ignore* the security factor. > But to give more detail, (a) just because we have "little" security, > doesn't mean we have to make it quantitatively worse, which we will do > if we add anyone that asks - it adds surface area. And (b) the > standards of time and continual maintenance that I described > elsewhere, also indicates that a person is careful about their general > computing practices, which also helps to not-reduce security - > compared to giving access to a random person. Do I understand you correctly that in your opinion the main factor is devotion to continued mainentance? If so, then we agree on what is "main factor" - but still we disagree on how to then deal with it: It seems Praveen find it reasonable to approve "because they are ready to upload their packages", and it seems you find that exact situation reason for rejecting. I find it neither reject nor approve reason. I welcome into this team any and all persons who feel they are ready to *maintain* official Debian packages. I find it wrong to impose restrictions on that, but I want to emphasize _maintain_ - this team is *not* the Javascript *contribution* team (there are other methods to contribute to Debian in other ways than continuous mainenance). - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 06:44 വൈകു, Ximin Luo wrote: > It's normal convention in any organisation or project to temporarily revert a > change that is controversial. ok. > Adding 10 new people from an event, every time there is an event, is also not > sustainable as a team. I have organized many packaging workshops over the years. I don't grant access to any one just because they attended an event. I have granted them access only because I am convinced they qualify to get this access. They learned how to make a package lintian clean, how run a clean build using sbuild, make patches using quilt, how to repack. They did all this by themselves on 3-4 packages that was already packaged before they started with a new package. > Please respond to my points (about responsibility, maintenance and events) > instead of accusing me of "contempt" simply because I disagreed with your > actions. We do not have such rules for accepting a first package or granting them access to a project. I was only following the convention we have set for this team. > I also don't see why you are making such a fuss. The conditions I described > (making a request at a later date, individually) are not particularly hard to > achieve, and helps to confirm their true long-term interest in being a team > member, to the rest of us that are unsure about these events. I make a fuss because you are acting arbitrarily, making up policies and rules on the go. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Pirate Praveen: > On വ്യാഴം 05 ജനുവരി 2017 06:21 വൈകു, Ximin Luo wrote: >> We don't have hard rules, but we all have our ideas about what is right or >> wrong. For you, it is a question of "are they aware". For me, I explained it >> in my other email, and it roughly overlaps with "are they aware". > > I have accepted their request because I have spent time with them. By > removing people that I have accepted you showed contempt for my > judgment. What authority do you have to remove people from the project > just because they are new? > > Is this how this team want to continue? If I have acted wrongly, then > please remove my admin access as well. But this kind of action is not > sustainable as a team. > It's normal convention in any organisation or project to temporarily revert a change that is controversial. Adding 10 new people from an event, every time there is an event, is also not sustainable as a team. Please respond to my points (about responsibility, maintenance and events) instead of accusing me of "contempt" simply because I disagreed with your actions. I also don't see why you are making such a fuss. The conditions I described (making a request at a later date, individually) are not particularly hard to achieve, and helps to confirm their true long-term interest in being a team member, to the rest of us that are unsure about these events. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 06:21 വൈകു, Ximin Luo wrote: > We don't have hard rules, but we all have our ideas about what is right or > wrong. For you, it is a question of "are they aware". For me, I explained it > in my other email, and it roughly overlaps with "are they aware". I have accepted their request because I have spent time with them. By removing people that I have accepted you showed contempt for my judgment. What authority do you have to remove people from the project just because they are new? Is this how this team want to continue? If I have acted wrongly, then please remove my admin access as well. But this kind of action is not sustainable as a team. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Pirate Praveen: > On വ്യാഴം 05 ജനുവരി 2017 06:09 വൈകു, Ximin Luo wrote: >> This has nothing to do with tools, as Jonas mentioned it is about a >> continual time dedication to a FOSS project. Please try to understand this. > > Yes, it has a lot to do with our tools. If we were using a git hosting > tool like gitlab or pagure, we could have reviewed pull requests before > we grant access to a new contributor. > > You can't demand such dedication from a new contributor. Did you sign > such a commitment before you got access to pkg-javascript team and debian? > > What did you mean when you said they can use github.com? Isn't that > evidence of our lack of tools to bring new people to debian? Why should > I tell anyone to use a proprietary service to contribute to debian? This > is something we got to fix. > >> It is easy to find people that will do some work at an event under guidance, >> but this is very different from someone finding alioth in their own spare >> time and out of their own motivation. So the situation is different from >> typical contributors that make these requests. > > We don't ask any new contributor for such commitment and it is not > acceptable you acting unilaterally and removing people from the group. > >> To be granted access, someone should demonstrate that they will properly >> take care of the things they claim responsibility for, not merely doing a >> one-time task at a fun event that temporarily is quite enjoyable. > > We don't ask such questions to any new contributors. Is it just because > there were many? If there were only one or two people, you would not > have even noticed it. So is bringing more people to debian discouraged? > >> As I said, I will happily agree to accept any of these people if they send >> in a request at a later date, indicating that they have one of the latter >> qualities, either by packaging a second package or by showing that they have >> properly maintained the first package that they have taken on. > > If that is the qualification, then we should make it as a team policy > and enforce it for everyone. > >> Otherwise, from what you described, it doesn't seem like alioth access is >> vital for what these people want to do anyway. > > You clearly accepted my argument that its a tool problem. We don't have > tools in debian to accept contributions this way. > Please try to understand the difference between 10 people at an event asking for access because 1 person instructed them to, vs single people asking for access at unrelated periods. Otherwise, this discussion won't move forward. There are many ways of contributing to Debian and FOSS, and spamming your way into infrastructure isn't one of them. Some people have said they agree with me in other channels, so I am acting as "unilaterally" as you are, by inviting this many people into the group without consulting people first. I don't think we need a formal policy, just rough understanding of the point that I am trying to make: 10 people at an event asking for access because 1 person instructed them to, vs single people asking for access at unrelated periods. These are very very different things. Please try to understand this, rather than nitpicking various aspects of the point I am making. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 06:09 വൈകു, Ximin Luo wrote: > This has nothing to do with tools, as Jonas mentioned it is about a continual > time dedication to a FOSS project. Please try to understand this. Yes, it has a lot to do with our tools. If we were using a git hosting tool like gitlab or pagure, we could have reviewed pull requests before we grant access to a new contributor. You can't demand such dedication from a new contributor. Did you sign such a commitment before you got access to pkg-javascript team and debian? What did you mean when you said they can use github.com? Isn't that evidence of our lack of tools to bring new people to debian? Why should I tell anyone to use a proprietary service to contribute to debian? This is something we got to fix. > It is easy to find people that will do some work at an event under guidance, > but this is very different from someone finding alioth in their own spare > time and out of their own motivation. So the situation is different from > typical contributors that make these requests. We don't ask any new contributor for such commitment and it is not acceptable you acting unilaterally and removing people from the group. > To be granted access, someone should demonstrate that they will properly take > care of the things they claim responsibility for, not merely doing a one-time > task at a fun event that temporarily is quite enjoyable. We don't ask such questions to any new contributors. Is it just because there were many? If there were only one or two people, you would not have even noticed it. So is bringing more people to debian discouraged? > As I said, I will happily agree to accept any of these people if they send in > a request at a later date, indicating that they have one of the latter > qualities, either by packaging a second package or by showing that they have > properly maintained the first package that they have taken on. If that is the qualification, then we should make it as a team policy and enforce it for everyone. > Otherwise, from what you described, it doesn't seem like alioth access is > vital for what these people want to do anyway. You clearly accepted my argument that its a tool problem. We don't have tools in debian to accept contributions this way. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Jonas Smedegaard: > Quoting Ximin Luo (2017-01-05 12:53:00) >> Pirate Praveen: >>> On വ്യാഴം 05 ജനുവരി 2017 04:22 വൈകു, Jérémy Lal wrote: This is great, but is this serious ? Anyone knows what's happening ? > >>> I'm taking a packaging workshop at College of Engineering Pune [1]. >>> >>> This is 4th day of the workshop and many have completed their packages >>> and are ready for upload. >>> >>> https://lists.debian.org/debian-dug-in/2016/12/msg1.html >>> >>> Initially some sent requests before I told them to give details about >>> their package. So please approve if the information is complete. >>> >> >> Hi, please don't add these people. >> >> People in the alioth group have read-write access to all pkg-javascript git >> repos as well as shell access on that machine. >> >> I don't think it's right to give this many people, who show up at an event, >> this level of access without any other requirement. It is too dangerous. >> >> I have rejected these requests and removed these people until they package a >> second package *in their own spare time* outside of an event. In the >> meantime, they can push their packages on github, this is adequate for a >> sponsored upload to Debian. > > I disagree with that approach, Ximian: > > We do not in this team have any rules for membership that one must first > prove her worth by packaging outside of Debian, not that they must use > their spare time doing so! > > I am concerned if people requesting to join are fully aware what it is > they join, which is why I asked about that. But I see nothing wrong > with approving people we don't know well. > > We must recognize that we have little security fencing the assets of > this team, and treat them accordingly (double-check what you pull, sign > changes you make, etc.). Making it harder to join this team does *not* > help secure our assets! > We don't have hard rules, but we all have our ideas about what is right or wrong. For you, it is a question of "are they aware". For me, I explained it in my other email, and it roughly overlaps with "are they aware". The security aspect is just one factor, not the main factor. But to give more detail, (a) just because we have "little" security, doesn't mean we have to make it quantitatively worse, which we will do if we add anyone that asks - it adds surface area. And (b) the standards of time and continual maintenance that I described elsewhere, also indicates that a person is careful about their general computing practices, which also helps to not-reduce security - compared to giving access to a random person. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Pirate Praveen: > On വ്യാഴം 05 ജനുവരി 2017 05:23 വൈകു, Ximin Luo wrote: >> Hi, please don't add these people. >> >> People in the alioth group have read-write access to all pkg-javascript git >> repos as well as shell access on that machine. >> >> I don't think it's right to give this many people, who show up at an event, >> this level of access without any other requirement. It is too dangerous. > > They have been learning packaging and doing hands on work for 4 full > days (at least 8*4 hours of continuous packaging work). This is how we > add new people to a project. It is something that has to be fixed in the > tools. > >> I have rejected these requests and removed these people until they package a >> second package *in their own spare time* outside of an event. In the >> meantime, they can push their packages on github, this is adequate for a >> sponsored upload to Debian. > > I think they qualify the requirements we ask for any new contributor. > This has nothing to do with tools, as Jonas mentioned it is about a continual time dedication to a FOSS project. Please try to understand this. It is easy to find people that will do some work at an event under guidance, but this is very different from someone finding alioth in their own spare time and out of their own motivation. So the situation is different from typical contributors that make these requests. To be granted access, someone should demonstrate that they will properly take care of the things they claim responsibility for, not merely doing a one-time task at a fun event that temporarily is quite enjoyable. As I said, I will happily agree to accept any of these people if they send in a request at a later date, indicating that they have one of the latter qualities, either by packaging a second package or by showing that they have properly maintained the first package that they have taken on. Otherwise, from what you described, it doesn't seem like alioth access is vital for what these people want to do anyway. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 05:23 വൈകു, Ximin Luo wrote: > Hi, please don't add these people. > > People in the alioth group have read-write access to all pkg-javascript git > repos as well as shell access on that machine. > > I don't think it's right to give this many people, who show up at an event, > this level of access without any other requirement. It is too dangerous. They have been learning packaging and doing hands on work for 4 full days (at least 8*4 hours of continuous packaging work). This is how we add new people to a project. It is something that has to be fixed in the tools. > I have rejected these requests and removed these people until they package a > second package *in their own spare time* outside of an event. In the > meantime, they can push their packages on github, this is adequate for a > sponsored upload to Debian. I think they qualify the requirements we ask for any new contributor. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 04:22 വൈകു, Jérémy Lal wrote: > This is great, but is this serious ? > Anyone knows what's happening ? Hi Jeremy, I'm taking a packaging workshop at College of Engineering Pune [1]. This is 4th day of the workshop and many have completed their packages and are ready for upload. https://lists.debian.org/debian-dug-in/2016/12/msg1.html Initially some sent requests before I told them to give details about their package. So please approve if the information is complete. Thanks Praveen signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] lots of requests to join pkg-javascript
This is great, but is this serious ? Anyone knows what's happening ? Jérémy -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
