Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On 28/01/17 18:44, Pirate Praveen wrote: On ശനി 28 ജനുവരി 2017 10:21 വൈകു, Ross Gammon wrote: I was disappointed with this too. I think we should be encouraging newcomers to place their packaging in the standard place, so we can help them when required. The last thing we want is node-*/js packaging being done in a different way, in a different place. If I had a list of Alioth logins, I would be happy to help adding them to the team. We need more help here! Tushar Agey (tush-guest) requested membership today, you can start with him. I'll ask each of them to apply again when they are ready to upload a second package. For now, someone needs to import all the packages accepted by ftp masters (filter mail by ACCEPTED) so the duplication can be avoided until npm2deb is fixed to look in experimental too. Somebody had already added Tushar to the team. Welcome Tushar! I have pushed all the recent packages uploaded to experimental to alioth. I did notice some of them did not have a complete set of tags, and I did not check if the repository URI matches the link in debian/control. This should be checked before the next upload. But at least npm2deb should find the repositories & help avoid duplicated effort. Cheers, Ross -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On ശനി 28 ജനുവരി 2017 10:21 വൈകു, Ross Gammon wrote: > I was disappointed with this too. I think we should be encouraging > newcomers to place their packaging in the standard place, so we can help > them when required. The last thing we want is node-*/js packaging being > done in a different way, in a different place. > > If I had a list of Alioth logins, I would be happy to help adding them > to the team. We need more help here! Tushar Agey (tush-guest) requested membership today, you can start with him. I'll ask each of them to apply again when they are ready to upload a second package. For now, someone needs to import all the packages accepted by ftp masters (filter mail by ACCEPTED) so the duplication can be avoided until npm2deb is fixed to look in experimental too. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Hi Pirate, On 01/27/2017 10:02 AM, Pirate Praveen wrote: > Thanks to a bug in npm2deb search which does not look in experimental > and our excellent on boarding practices which prefers keeping new git > repos out of team repo in alioth, people are duplicating work, packaging > already packaged node modules (node-timed-out and node-cli-spinners > already, I expect more duplication). I don't see the same level of > enthusiasm to import those repos to alioth (I'm not going to do it as I > strongly disagree with the unilateral decision of rejecting their alioth > requests based on one person's prejudice, it is also unnecessary extra > work for the team, those who advocated this setup should be willing to > take the extra work). > > I was disappointed with this too. I think we should be encouraging newcomers to place their packaging in the standard place, so we can help them when required. The last thing we want is node-*/js packaging being done in a different way, in a different place. If I had a list of Alioth logins, I would be happy to help adding them to the team. We need more help here! Ross -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Thanks to a bug in npm2deb search which does not look in experimental and our excellent on boarding practices which prefers keeping new git repos out of team repo in alioth, people are duplicating work, packaging already packaged node modules (node-timed-out and node-cli-spinners already, I expect more duplication). I don't see the same level of enthusiasm to import those repos to alioth (I'm not going to do it as I strongly disagree with the unilateral decision of rejecting their alioth requests based on one person's prejudice, it is also unnecessary extra work for the team, those who advocated this setup should be willing to take the extra work). signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Hi All, Sorry - I am a bit late to this. I have had problems with my javascript email address, and I am now using a new one here. On 01/06/2017 07:21 AM, Pirate Praveen wrote: > I have asked them to push their work to git.fosscommunity.in and send > RFS mails to this list. Those who institute such bureaucracy should also > volunteer to import these repos to alioth. I do not want to be forced to > do extra work. > > Other option would have been using mentors.debian.net, but we lose the > ability to incorporate their git history (or like now depend on external > services). > > I will also look at possibility of using personal alioth repositories. I really like to encourage the use of mentors.debian.net to new-comers. There are a lot of experienced developers there who can answer general packaging questions and queries about Debian policy etc. I have had requests for help from people that would prefer to be mentored privately. But I prefer that we all share our learning experiences on a public list, so that others can learn at the same time. Mentors.net also has the advantage that the package is known to have been successfully built, in order for the *.changes file to get uploaded. It also gives experience in debsign & dput. But this thread points out that we are missing a parallel "mentors" git/svn repository where people can learn about packaging within a repository as well. The work can be pushed to the official place later (whenever the sponsor suggests the mentee joins a team). As for whether we should let "anyone" have access to the Javascript alioth repository (ie. join the team), my opinion is that the repository is not the archive. We can always reconstruct the repo from the archive (although losing some history) after discovering someone from the team has misbehaved, or made a mistake. Commitment to continued maintenance is something the sponsor should check before uploading to the archive. I am sure there are a few sponsors that have been left "holding a baby" when someone just wanted to get a package into Debian, but was lying about their commitment. And this is not even after a "packaging tutorial" or whatever event. The package will be orphaned and hopefully picked up by someone else if it is an important enough package. Other teams I am a member of, expect the "joining request" to include a statement that they have read the team policy. Maybe we should add a "Joining the Team" line on https://wiki.debian.org/Javascript that "softly" states that it is recommended to read the team policy before applying to join? If the request to join is a little short on information, you can always recommend they read the information (on the list) after the request to join is accepted by someone in the team. I have seen Jonas do this many times. Regards, Ross -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Jonas Smedegaard: > Quoting Ximin Luo (2017-01-06 11:54:00) >> Jonas Smedegaard: > [..] I do not see this as sustainable and I will not approve any > more requests in this team. if we, as a team are unable to follow > the processes in line with the debian philosophy and spirit, I will > remove myself as an admin from this team. > > I will not import any of these repos to alioth. Someone who relish > authority and elitism has to do the extra work. >>> >>> I wish you wouldn't give in like that, but understand your reasoning >>> (and appreciate that you didn't take even worse action!). >>> >>> Get your head out of your own ass, and stop acting like you're a victim here. >>> >>> Go wash your mouth, and step back from your high horse: You are *not* >>> the boss around here (noone is), and you have no right to dictate >>> newly invented rules nor point fingers at peer team members choosing >>> to disagree with them! >>> >> >> I'm neither on a high-horse nor being "the boss" around here. I'm >> simply pointing out the insane level of hypocrisy being directed at >> me. >> >> When I disagree with something being done that affects the whole team, >> I'm "dictating newly-invented rules", but when you and Praveen >> disagree with something, it's "being welcoming"? No, this is bullshit, >> and I won't apologoise for calling it bullshit nor stop calling it >> bullshit. Your actions have an effect on everyone, this is not about >> being welcoming; get off *your* high horse. > > Oh, you find your own attitude and language fine, and mine problematic. > Thanks for sharing. > > I already¹ described my opinion on how this team should treat newcomers, > and I (still) welcome everyone on this list to share your opinion on the > matter. > > Based on that input, I will consider if I personally want to continue as > member of this team. > *eyeroll* Oh well fine, I might as well jump on the bandwagon. I *also* want to consider personally if I want to remain on this team. Can't even have a discussion about how we should deal with mass-join events without being accused of being a dictator. +1 to opinions and input from more people. Finally, let me try to sort out the mess. Firstly, I am sorry that I was too heavy in my first post. I did not mean to imply that I think these people should *never* join the team, or suggest that I was rigid about the "package a second package etc" condition. I tried to explain this later, hopefully I am more clear here. Secondly, there was no need to immediately go create separate repos, Praveen your students could have waited a while. However, it should be easy to just script the creation of these extra repos via the ./setup-repository script that we already have. They will each have to register their SSH keys manually, but they had to do that in any case. I don't think there is too much extra work adding a second git remote and pushing to it. Thirdly, you talk about about welcoming new contributors, but there are existing people on the team to consider as well. It's always easier to accommodate new people one-by-one and get to know them, if they join slowly. If lots of people join at once, it's reasonable to ask that they do things slightly differently, to give the existing team members some time to adjust. Obviously nobody would think of autojoining 1000 people at once, everyone has some idea of what is "reasonable"; this is not "dictating" who can or can't join. Others have voiced opinions along these lines too already, similar but different from the suggestions I made. I welcome people to expand on these in more detail, and hopefully it'll come across less forceful than my attempts. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Jonas Smedegaard: >>> [..] I do not see this as sustainable and I will not approve any more >>> requests in this team. if we, as a team are unable to follow the >>> processes in line with the debian philosophy and spirit, I will >>> remove myself as an admin from this team. >>> >>> I will not import any of these repos to alioth. Someone who relish >>> authority and elitism has to do the extra work. > > I wish you wouldn't give in like that, but understand your reasoning > (and appreciate that you didn't take even worse action!). > > >> Get your head out of your own ass, and stop acting like you're a >> victim here. > > Go wash your mouth, and step back from your high horse: You are *not* > the boss around here (noone is), and you have no right to dictate newly > invented rules nor point fingers at peer team members choosing to > disagree with them! > I'm neither on a high-horse nor being "the boss" around here. I'm simply pointing out the insane level of hypocrisy being directed at me. When I disagree with something being done that affects the whole team, I'm "dictating newly-invented rules", but when you and Praveen disagree with something, it's "being welcoming"? No, this is bullshit, and I won't apologoise for calling it bullshit nor stop calling it bullshit. Your actions have an effect on everyone, this is not about being welcoming; get off *your* high horse. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Ximin Luo (2017-01-06 11:27:00) > Pirate Praveen: >> On വ്യാഴം 05 ജനുവരി 2017 10:20 വൈകു, Ximin Luo wrote: >>> Let's please talk about the specifics of this situation rather than >>> appealing to vague notions of being welcoming. >> >> This is completely arbitrary restriction. I was thinking we evaluate >> people based on what they have done, rather than when and where they >> have done it. I don't agree with this notion. I agree with Praveen. > Being a maintainer is about more than doing one small thing. True, but that's how it usually begins! This team is not restricted to people _already_ being maintainers. >> [..] I do not see this as sustainable and I will not approve any more >> requests in this team. if we, as a team are unable to follow the >> processes in line with the debian philosophy and spirit, I will >> remove myself as an admin from this team. >> >> I will not import any of these repos to alioth. Someone who relish >> authority and elitism has to do the extra work. I wish you wouldn't give in like that, but understand your reasoning (and appreciate that you didn't take even worse action!). > Get your head out of your own ass, and stop acting like you're a > victim here. Go wash your mouth, and step back from your high horse: You are *not* the boss around here (noone is), and you have no right to dictate newly invented rules nor point fingers at peer team members choosing to disagree with them! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Pirate Praveen: > On വ്യാഴം 05 ജനുവരി 2017 10:20 വൈകു, Ximin Luo wrote: >> Let's please talk about the specifics of this situation rather than >> appealing to vague notions of being welcoming. > > This is completely arbitrary restriction. I was thinking we evaluate > people based on what they have done, rather than when and where they > have done it. I don't agree with this notion. > >> It's my experience that events like these do not generally result in >> long-term maintainers. Yes, I am indeed treating them as "inactive" before >> they have already joined, based on what I have seen of related events. So I >> propose some reasonable checks, to ensure that we get people who are >> interested. I disagree that this attitude is flawed. > > This is pure prejudice based on your personal experience. We should not > be basing our standards based on personal prejudice and paint a large > number of people with same color. > >> I didn't propose a similar check for previous incoming contributors because >> they did not have a background context of a mass-join event. So it does not >> make sense to compare these two situations. > > Arbitrary and discriminatory. > Being a maintainer is about more than doing one small thing. Considering when and where they have done it is completely appropriate, and it is completely right and fair of me to take into account my own personal experience and background context about these types of events. Pirate Praveen: > All debian processes has been about advocacy and decision by people who > have worked with new people. It was never about people who are unaware > about the contributions. In this case, being the person who has worked > close with them, I should have been the right person to decide. But it > seems people who are totally uninformed wants to decide and just want to > use their personal prejudice as the single deciding factor. [..] Yes, I have less information than you do. How about instead of accusing me of being "discriminatory" and judging without information, you provide us with more information? You haven't mentioned who these people are in any amount of detail, all you said is that they are some students attending an event run by you - ironically painting a large number of people with the same color, yourself! Tell us some stories about who each of these individuals are! > [..] I do not see > this as sustainable and I will not approve any more requests in this > team. if we, as a team are unable to follow the processes in line with > the debian philosophy and spirit, I will remove myself as an admin from > this team. > > I will not import any of these repos to alioth. Someone who relish > authority and elitism has to do the extra work. Get your head out of your own ass, and stop acting like you're a victim here. You keep talking about the Debian "philosophy and spirit"; spamming 10 people into a group with requests like "I want to package, give me access" is NOT that. This does not help anyone trust anyone. Being cautious about these types of actions, is not authority or elitism. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 10:20 വൈകു, Ximin Luo wrote: > Let's please talk about the specifics of this situation rather than appealing > to vague notions of being welcoming. > > It's my experience that events like these do not generally result in > long-term maintainers. Yes, I am indeed treating them as "inactive" before > they have already joined, based on what I have seen of related events. So I > propose some reasonable checks, to ensure that we get people who are > interested. I disagree that this attitude is flawed. > > I didn't propose a similar check for previous incoming contributors because > they did not have a background context of a mass-join event. So it does not > make sense to compare these two situations. > > We totally do validate membership (everywhere, not just this alioth group) > based on how people formulate their requests to join. Vague requests are > generally rejected in most places, and rightly so. > > Having minimum standards of quality is not "hierarchy". All debian processes has been about advocacy and decision by people who have worked with new people. It was never about people who are unaware about the contributions. In this case, being the person who has worked close with them, I should have been the right person to decide. But it seems people who are totally uninformed wants to decide and just want to use their personal prejudice as the single deciding factor. I do not see this as sustainable and I will not approve any more requests in this team. if we, as a team are unable to follow the processes in line with the debian philosophy and spirit, I will remove myself as an admin from this team. I will not import any of these repos to alioth. Someone who relish authority and elitism has to do the extra work. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 10:20 വൈകു, Ximin Luo wrote: > Let's please talk about the specifics of this situation rather than appealing > to vague notions of being welcoming. This is completely arbitrary restriction. I was thinking we evaluate people based on what they have done, rather than when and where they have done it. I don't agree with this notion. > It's my experience that events like these do not generally result in > long-term maintainers. Yes, I am indeed treating them as "inactive" before > they have already joined, based on what I have seen of related events. So I > propose some reasonable checks, to ensure that we get people who are > interested. I disagree that this attitude is flawed. This is pure prejudice based on your personal experience. We should not be basing our standards based on personal prejudice and paint a large number of people with same color. > I didn't propose a similar check for previous incoming contributors because > they did not have a background context of a mass-join event. So it does not > make sense to compare these two situations. Arbitrary and discriminatory. > We totally do validate membership (everywhere, not just this alioth group) > based on how people formulate their requests to join. Vague requests are > generally rejected in most places, and rightly so. > > Having minimum standards of quality is not "hierarchy". I have asked them to push their work to git.fosscommunity.in and send RFS mails to this list. Those who institute such bureaucracy should also volunteer to import these repos to alioth. I do not want to be forced to do extra work. Other option would have been using mentors.debian.net, but we lose the ability to incorporate their git history (or like now depend on external services). I will also look at possibility of using personal alioth repositories. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Hi, On 05/01/2017 20:39, Jonas Smedegaard wrote: I don't think anyone has suggested or implied forcing anyone to do anything (please help point out if I missed some detail on that!). I meant if they just attended an event, they may have little motivation to actually join any team, so getting in just for the occasion might not be sensible -- neither for them or for the team. Snark on #debian-js -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Julien Puydt (2017-01-05 18:41:22) > On 05/01/2017 18:24, Jonas Smedegaard wrote: > > Quoting Ximin Luo (2017-01-05 17:50:00) > >> I propose some reasonable checks, to ensure that we get people who are > >> interested. I disagree that this attitude is flawed. > > > > Thanks. Ximin. > > > > What do others think? > > Until now the discussion seems to have been centered on the Debian > JavaScript Team : should it accept them? Isn't it a security problem to > grant them access? Won't they leave the team out in the cold after > pushing their packages? > > But those are actual people, not just names : are all applicants aware > they are expected to maintain those packages? Are they really interested > in doing so? Do they have any long-term use for an account on alioth? > > I'm for granting them access if they have something to contribute and > they want to join, but I'm againsts forcing them to join to contribute. Thanks! I don't think anyone has suggested or implied forcing anyone to do anything (please help point out if I missed some detail on that!). On the matter of treating newcomers as real people: Approved or not, anyone are free to join this mailinglist ans speak up (e.g. to answer my early question question whether intent is releasing package or maintain, which it is still hanging unanswered!). Anyone else having opinions on the matter? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Hi, On 05/01/2017 18:24, Jonas Smedegaard wrote: Quoting Ximin Luo (2017-01-05 17:50:00) I propose some reasonable checks, to ensure that we get people who are interested. I disagree that this attitude is flawed. Thanks. Ximin. What do others think? Until now the discussion seems to have been centered on the Debian JavaScript Team : should it accept them? Isn't it a security problem to grant them access? Won't they leave the team out in the cold after pushing their packages? But those are actual people, not just names : are all applicants aware they are expected to maintain those packages? Are they really interested in doing so? Do they have any long-term use for an account on alioth? I'm for granting them access if they have something to contribute and they want to join, but I'm againsts forcing them to join to contribute. Cheers, Snark on #debian-js -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Ximin Luo (2017-01-05 17:50:00) > I propose some reasonable checks, to ensure that we get people who are > interested. I disagree that this attitude is flawed. Thanks. Ximin. What do others think? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Jonas Smedegaard: > [..] > > I (loudly!) oppose treating not-yet-members as inactive: Improving > security by minimizing activity is a luxury we cannot afford! > > [..] > > Since when did we validate membership based on how they formulated > their requests to join? > > Were you yourself treated with scrutiny when you joined, then I > appologize on behalf of the team, and kindly ask you to not repeat that > flawed attitude towards newcomers. > > or alternatively - if this team generally appraise such attitude, I will > respect that by leaving the team, as I personally appreciate the *lack* > of hierarchy in Debian. > Let's please talk about the specifics of this situation rather than appealing to vague notions of being welcoming. It's my experience that events like these do not generally result in long-term maintainers. Yes, I am indeed treating them as "inactive" before they have already joined, based on what I have seen of related events. So I propose some reasonable checks, to ensure that we get people who are interested. I disagree that this attitude is flawed. I didn't propose a similar check for previous incoming contributors because they did not have a background context of a mass-join event. So it does not make sense to compare these two situations. We totally do validate membership (everywhere, not just this alioth group) based on how people formulate their requests to join. Vague requests are generally rejected in most places, and rightly so. Having minimum standards of quality is not "hierarchy". X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Ximin Luo (2017-01-05 16:26:00) > Jonas Smedegaard: > > Quoting Ximin Luo (2017-01-05 13:51:00) > >> > >> [..] > >> > >> The security aspect is just one factor, not the main factor. > > > > Ok, you now tell me that security is not the main factor. > > > > I clearly read your previous email as if security was the main factor > > for rejecting these requests. For clarity of discussion I shall > > *ignore* the security factor. > > > > > >> But to give more detail, (a) just because we have "little" security, > >> doesn't mean we have to make it quantitatively worse, which we will do > >> if we add anyone that asks - it adds surface area. And (b) the > >> standards of time and continual maintenance that I described > >> elsewhere, also indicates that a person is careful about their general > >> computing practices, which also helps to not-reduce security - > >> compared to giving access to a random person. > > > > Do I understand you correctly that in your opinion the main factor is > > devotion to continued mainentance? > > > > I agree it's the main factor, but for me this is also linked to security. > Having lots of inactive people with that level of access increases risk with > no benefit in return. It's better to have fewer active people. (Of course > lots of active people are even better.) I welcome suggestions for how we might identify and maybe even kick inactive users. I won't spend time proposing or defending such procedures myself, as I find no need for them (we use this team only to exchange emails and exchange git repos - each of us is responsible to validate each email and each git repo!!!). I (loudly!) oppose treating not-yet-members as inactive: Improving security by minimizing activity is a luxury we cannot afford! > > If so, then we agree on what is "main factor" - but still we > > disagree on how to then deal with it: > > > > It seems Praveen find it reasonable to approve "because they are > > ready to upload their packages", and it seems you find that exact > > situation reason for rejecting. I find it neither reject nor > > approve reason. > > > > I welcome into this team any and all persons who feel they are ready > > to *maintain* official Debian packages. I find it wrong to impose > > restrictions on that, but I want to emphasize _maintain_ - this team > > is *not* the Javascript *contribution* team (there are other methods > > to contribute to Debian in other ways than continuous mainenance). > > > > This is why I suggested having them apply individually later. I disagree that requiring individual membership requests helps. Some are inspired to join when alone and seeking friends, other are inspired to join when with friends also joining, or when meeting and working concentrated for days with a role model - as I guess might be the case for (some or all of) these applicants. > They can see if they're comfortable with doing this semi-regularly. > Everything is more fun at a group event but this is not the same as > robust long-term maintenance of packages. I sure hope you are telling me how *you* find it fun to collaborate. If you are imposing on me and others in this team the reasons we should find it fun to be here, you are effectively *discouraging* anyone with different personality than yourself. Please embrace variety! > Another issue that I noticed is some of the requests were very vague. > (Other requests were suitably specific.) I hope these are fixed the > next time around. Since most of these javascript packages are very > small, it would also be good to mention more numbers of packages in > these requests. Since when did we validate membership based on how they formulated their requests to join? Were you yourself treated with scrutiny when you joined, then I appologize on behalf of the team, and kindly ask you to not repeat that flawed attitude towards newcomers. or alternatively - if this team generally appraise such attitude, I will respect that by leaving the team, as I personally appreciate the *lack* of hierarchy in Debian. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Paolo Greppi (2017-01-05 15:40:16) > On 05/01/2017 14:00, Pirate Praveen wrote: > > On വ്യാഴം 05 ജനുവരി 2017 06:09 വൈകു, Ximin Luo wrote: > >> This has nothing to do with tools, as Jonas mentioned it is about a > >> continual time dedication to a FOSS project. Please try to understand this. > > Yes, it has a lot to do with our tools. If we were using a git hosting > > tool like gitlab or pagure, we could have reviewed pull requests before > > we grant access to a new contributor. > > > > You can't demand such dedication from a new contributor. Did you sign > > such a commitment before you got access to pkg-javascript team and debian? > > > > What did you mean when you said they can use github.com? Isn't that > > evidence of our lack of tools to bring new people to debian? Why should > > I tell anyone to use a proprietary service to contribute to debian? This > > is something we got to fix. > > When I read this, I became curious about who creates and contributes to repos > in /git/pkg-javascript. Here is what I found out thanks to my paolog-guest > shell access to git.d.o. > > There are 876 subdirs in /git/pkg-javascript, and they were created by 30 > guest accounts and 37 non-guest accounts. A recursive search on all contained > files & subdirs yields a grand total of 33 guest accounts and 46 non-guest > (apparently not many people push to repositories someone else had created). > > For those git repos we are using a setup that the git docs [1] advise for "a > small outfit", but 79 seems more than "few developers" ... For larger teams > they advise gitosis or gitolite; only the latter seems to be an active > project and is packaged as gitolite3. > > My comments: > > - the tools we have are in line with rest of the debian tools (WOT, BTS ...): > CLI, raw and based on trust > > - granting shell access to guests is consistent with that culture > > - but 10 new guest accounts added to the pkg-javascript team in one > shot is a lot (+30%); also mass requests to join the team sound like > spamming (but that's clearly not the case here !) > > - when I was a student at the uni a long time ago I remember we were > willing to go a long way to please the professors **before** the exam > ;-) > > - if gitolite were installed and configured on moszumanska (git.d.o.), it > would probably be possible to set up access control on select repos for > external "contributors"; "contributor" here is meant in a sense similar to > "debian contributor" idea [2]. > > In conclusion, Debian Contributor is a suitable status for a student > who wants to give it a try during a seminar. If they pass the exam and > **afterwards** out of their free will submit a request to join > pkg-javascript, then the path from contributor to DD is open to them ! Yes, statistics may show how many in this team currently collaborate how much. And yes, Alioth provide us tools to separate our team in multiple classes of members. Do we want to maintain our current level of (lack of) collaboration? Do we want multiple classes of users? I want this team to be equal peers - one class with equal access rights. I want this team to be for maintainers helping each other as time and skills permit. If we should ever reject anyone, then only those who have demonstrated *not* collaborating or *not* maintaining - we should never refuse people based on fear that they will not do so in the future. That's why I ask (but do not demand proof) if these concrete newcomers are able and interested in not only releasing packages but also in maintaining them. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Jonas Smedegaard: > Quoting Ximin Luo (2017-01-05 13:51:00) >> >> [..] >> >> The security aspect is just one factor, not the main factor. > > Ok, you now tell me that security is not the main factor. > > I clearly read your previous email as if security was the main factor > for rejecting these requests. For clarity of discussion I shall > *ignore* the security factor. > > >> But to give more detail, (a) just because we have "little" security, >> doesn't mean we have to make it quantitatively worse, which we will do >> if we add anyone that asks - it adds surface area. And (b) the >> standards of time and continual maintenance that I described >> elsewhere, also indicates that a person is careful about their general >> computing practices, which also helps to not-reduce security - >> compared to giving access to a random person. > > Do I understand you correctly that in your opinion the main factor is > devotion to continued mainentance? > I agree it's the main factor, but for me this is also linked to security. Having lots of inactive people with that level of access increases risk with no benefit in return. It's better to have fewer active people. (Of course lots of active people are even better.) > If so, then we agree on what is "main factor" - but still we disagree on > how to then deal with it: > > It seems Praveen find it reasonable to approve "because they are ready > to upload their packages", and it seems you find that exact situation > reason for rejecting. I find it neither reject nor approve reason. > > I welcome into this team any and all persons who feel they are ready to > *maintain* official Debian packages. I find it wrong to impose > restrictions on that, but I want to emphasize _maintain_ - this team is > *not* the Javascript *contribution* team (there are other methods to > contribute to Debian in other ways than continuous mainenance). > This is why I suggested having them apply individually later. They can see if they're comfortable with doing this semi-regularly. Everything is more fun at a group event but this is not the same as robust long-term maintenance of packages. Another issue that I noticed is some of the requests were very vague. (Other requests were suitably specific.) I hope these are fixed the next time around. Since most of these javascript packages are very small, it would also be good to mention more numbers of packages in these requests. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Pirate Praveen: > On വ്യാഴം 05 ജനുവരി 2017 06:44 വൈകു, Ximin Luo wrote: >> It's normal convention in any organisation or project to temporarily revert >> a change that is controversial. > > ok. > >> Adding 10 new people from an event, every time there is an event, is also >> not sustainable as a team. > > I have organized many packaging workshops over the years. I don't grant > access to any one just because they attended an event. I have granted > them access only because I am convinced they qualify to get this access. > > They learned how to make a package lintian clean, how run a clean build > using sbuild, make patches using quilt, how to repack. They did all this > by themselves on 3-4 packages that was already packaged before they > started with a new package. > OK, thanks for sharing these details, it really helps us to properly discuss this situation. In terms of knowledge, it sounds like they are sufficiently capable. I still think it's better to have them make requests in their own time, instead of all at once. This gives some time for us to read properly their request, and distinguish and remember them as individuals separately from the other people that also want to join. It also gives them some time to practise these things and decide if they really want to continue with it in the long run. I agree with Jonas that this team (and other alioth teams) should be about maintenance, not just contributions. (We can continue on this topic in the other subthread.) >> Please respond to my points (about responsibility, maintenance and events) >> instead of accusing me of "contempt" simply because I disagreed with your >> actions. > > We do not have such rules for accepting a first package or granting them > access to a project. I was only following the convention we have set for > this team. > >> I also don't see why you are making such a fuss. The conditions I described >> (making a request at a later date, individually) are not particularly hard >> to achieve, and helps to confirm their true long-term interest in being a >> team member, to the rest of us that are unsure about these events. > > I make a fuss because you are acting arbitrarily, making up policies and > rules on the go. > I understand. I did not mean to arbitrarily impose anything - reverting their membership was only meant as a temporary measure whilst the discussion is still ongoing. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Pirate Praveen (2017-01-05 14:06:32) > On വ്യാഴം 05 ജനുവരി 2017 06:21 വൈകു, Ximin Luo wrote: > > We don't have hard rules, but we all have our ideas about what is right or > > wrong. For you, it is a question of "are they aware". For me, I explained > > it in my other email, and it roughly overlaps with "are they aware". > > I have accepted their request because I have spent time with them. By > removing people that I have accepted you showed contempt for my > judgment. What authority do you have to remove people from the project > just because they are new? > > Is this how this team want to continue? If I have acted wrongly, then > please remove my admin access as well. But this kind of action is not > sustainable as a team. Please stay, Praveen! Please do not kick out people, Ximin! Please, everyone else (and newcomers in particular): Please feel welcome in the javascript maintainers team when you feel able and interested in *maintaining* official debian javascript-related packages. Let's discuss here. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Quoting Ximin Luo (2017-01-05 13:51:00) > Jonas Smedegaard: >> Quoting Ximin Luo (2017-01-05 12:53:00) >>> Pirate Praveen: On വ്യാഴം 05 ജനുവരി 2017 04:22 വൈകു, Jérémy Lal wrote: > This is great, but is this serious ? > Anyone knows what's happening ? [...] I'm taking a packaging workshop at College of Engineering Pune [1]. This is 4th day of the workshop and many have completed their packages and are ready for upload. [...] >>> Hi, please don't add these people. >>> >>> People in the alioth group have read-write access to all >>> pkg-javascript git repos as well as shell access on that machine. >>> >>> I don't think it's right to give this many people, who show up at an >>> event, this level of access without any other requirement. It is too >>> dangerous. [...] >> We do not in this team have any rules for membership that one must >> first prove her worth by packaging outside of Debian, not that they >> must use their spare time doing so! >> >> I am concerned if people requesting to join are fully aware what it is >> they join, which is why I asked about that. But I see nothing wrong >> with approving people we don't know well. > > > > We must recognize that we have little security fencing the assets of > > this team, and treat them accordingly (double-check what you pull, sign > > changes you make, etc.). Making it harder to join this team does *not* > > help secure our assets! > > > > We don't have hard rules, but we all have our ideas about what is > right or wrong. For you, it is a question of "are they aware". For me, > I explained it in my other email, and it roughly overlaps with "are > they aware". > > The security aspect is just one factor, not the main factor. Ok, you now tell me that security is not the main factor. I clearly read your previous email as if security was the main factor for rejecting these requests. For clarity of discussion I shall *ignore* the security factor. > But to give more detail, (a) just because we have "little" security, > doesn't mean we have to make it quantitatively worse, which we will do > if we add anyone that asks - it adds surface area. And (b) the > standards of time and continual maintenance that I described > elsewhere, also indicates that a person is careful about their general > computing practices, which also helps to not-reduce security - > compared to giving access to a random person. Do I understand you correctly that in your opinion the main factor is devotion to continued mainentance? If so, then we agree on what is "main factor" - but still we disagree on how to then deal with it: It seems Praveen find it reasonable to approve "because they are ready to upload their packages", and it seems you find that exact situation reason for rejecting. I find it neither reject nor approve reason. I welcome into this team any and all persons who feel they are ready to *maintain* official Debian packages. I find it wrong to impose restrictions on that, but I want to emphasize _maintain_ - this team is *not* the Javascript *contribution* team (there are other methods to contribute to Debian in other ways than continuous mainenance). - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 06:44 വൈകു, Ximin Luo wrote: > It's normal convention in any organisation or project to temporarily revert a > change that is controversial. ok. > Adding 10 new people from an event, every time there is an event, is also not > sustainable as a team. I have organized many packaging workshops over the years. I don't grant access to any one just because they attended an event. I have granted them access only because I am convinced they qualify to get this access. They learned how to make a package lintian clean, how run a clean build using sbuild, make patches using quilt, how to repack. They did all this by themselves on 3-4 packages that was already packaged before they started with a new package. > Please respond to my points (about responsibility, maintenance and events) > instead of accusing me of "contempt" simply because I disagreed with your > actions. We do not have such rules for accepting a first package or granting them access to a project. I was only following the convention we have set for this team. > I also don't see why you are making such a fuss. The conditions I described > (making a request at a later date, individually) are not particularly hard to > achieve, and helps to confirm their true long-term interest in being a team > member, to the rest of us that are unsure about these events. I make a fuss because you are acting arbitrarily, making up policies and rules on the go. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Pirate Praveen: > On വ്യാഴം 05 ജനുവരി 2017 06:21 വൈകു, Ximin Luo wrote: >> We don't have hard rules, but we all have our ideas about what is right or >> wrong. For you, it is a question of "are they aware". For me, I explained it >> in my other email, and it roughly overlaps with "are they aware". > > I have accepted their request because I have spent time with them. By > removing people that I have accepted you showed contempt for my > judgment. What authority do you have to remove people from the project > just because they are new? > > Is this how this team want to continue? If I have acted wrongly, then > please remove my admin access as well. But this kind of action is not > sustainable as a team. > It's normal convention in any organisation or project to temporarily revert a change that is controversial. Adding 10 new people from an event, every time there is an event, is also not sustainable as a team. Please respond to my points (about responsibility, maintenance and events) instead of accusing me of "contempt" simply because I disagreed with your actions. I also don't see why you are making such a fuss. The conditions I described (making a request at a later date, individually) are not particularly hard to achieve, and helps to confirm their true long-term interest in being a team member, to the rest of us that are unsure about these events. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 06:21 വൈകു, Ximin Luo wrote: > We don't have hard rules, but we all have our ideas about what is right or > wrong. For you, it is a question of "are they aware". For me, I explained it > in my other email, and it roughly overlaps with "are they aware". I have accepted their request because I have spent time with them. By removing people that I have accepted you showed contempt for my judgment. What authority do you have to remove people from the project just because they are new? Is this how this team want to continue? If I have acted wrongly, then please remove my admin access as well. But this kind of action is not sustainable as a team. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Pirate Praveen: > On വ്യാഴം 05 ജനുവരി 2017 06:09 വൈകു, Ximin Luo wrote: >> This has nothing to do with tools, as Jonas mentioned it is about a >> continual time dedication to a FOSS project. Please try to understand this. > > Yes, it has a lot to do with our tools. If we were using a git hosting > tool like gitlab or pagure, we could have reviewed pull requests before > we grant access to a new contributor. > > You can't demand such dedication from a new contributor. Did you sign > such a commitment before you got access to pkg-javascript team and debian? > > What did you mean when you said they can use github.com? Isn't that > evidence of our lack of tools to bring new people to debian? Why should > I tell anyone to use a proprietary service to contribute to debian? This > is something we got to fix. > >> It is easy to find people that will do some work at an event under guidance, >> but this is very different from someone finding alioth in their own spare >> time and out of their own motivation. So the situation is different from >> typical contributors that make these requests. > > We don't ask any new contributor for such commitment and it is not > acceptable you acting unilaterally and removing people from the group. > >> To be granted access, someone should demonstrate that they will properly >> take care of the things they claim responsibility for, not merely doing a >> one-time task at a fun event that temporarily is quite enjoyable. > > We don't ask such questions to any new contributors. Is it just because > there were many? If there were only one or two people, you would not > have even noticed it. So is bringing more people to debian discouraged? > >> As I said, I will happily agree to accept any of these people if they send >> in a request at a later date, indicating that they have one of the latter >> qualities, either by packaging a second package or by showing that they have >> properly maintained the first package that they have taken on. > > If that is the qualification, then we should make it as a team policy > and enforce it for everyone. > >> Otherwise, from what you described, it doesn't seem like alioth access is >> vital for what these people want to do anyway. > > You clearly accepted my argument that its a tool problem. We don't have > tools in debian to accept contributions this way. > Please try to understand the difference between 10 people at an event asking for access because 1 person instructed them to, vs single people asking for access at unrelated periods. Otherwise, this discussion won't move forward. There are many ways of contributing to Debian and FOSS, and spamming your way into infrastructure isn't one of them. Some people have said they agree with me in other channels, so I am acting as "unilaterally" as you are, by inviting this many people into the group without consulting people first. I don't think we need a formal policy, just rough understanding of the point that I am trying to make: 10 people at an event asking for access because 1 person instructed them to, vs single people asking for access at unrelated periods. These are very very different things. Please try to understand this, rather than nitpicking various aspects of the point I am making. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 06:09 വൈകു, Ximin Luo wrote: > This has nothing to do with tools, as Jonas mentioned it is about a continual > time dedication to a FOSS project. Please try to understand this. Yes, it has a lot to do with our tools. If we were using a git hosting tool like gitlab or pagure, we could have reviewed pull requests before we grant access to a new contributor. You can't demand such dedication from a new contributor. Did you sign such a commitment before you got access to pkg-javascript team and debian? What did you mean when you said they can use github.com? Isn't that evidence of our lack of tools to bring new people to debian? Why should I tell anyone to use a proprietary service to contribute to debian? This is something we got to fix. > It is easy to find people that will do some work at an event under guidance, > but this is very different from someone finding alioth in their own spare > time and out of their own motivation. So the situation is different from > typical contributors that make these requests. We don't ask any new contributor for such commitment and it is not acceptable you acting unilaterally and removing people from the group. > To be granted access, someone should demonstrate that they will properly take > care of the things they claim responsibility for, not merely doing a one-time > task at a fun event that temporarily is quite enjoyable. We don't ask such questions to any new contributors. Is it just because there were many? If there were only one or two people, you would not have even noticed it. So is bringing more people to debian discouraged? > As I said, I will happily agree to accept any of these people if they send in > a request at a later date, indicating that they have one of the latter > qualities, either by packaging a second package or by showing that they have > properly maintained the first package that they have taken on. If that is the qualification, then we should make it as a team policy and enforce it for everyone. > Otherwise, from what you described, it doesn't seem like alioth access is > vital for what these people want to do anyway. You clearly accepted my argument that its a tool problem. We don't have tools in debian to accept contributions this way. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Jonas Smedegaard: > Quoting Ximin Luo (2017-01-05 12:53:00) >> Pirate Praveen: >>> On വ്യാഴം 05 ജനുവരി 2017 04:22 വൈകു, Jérémy Lal wrote: This is great, but is this serious ? Anyone knows what's happening ? > >>> I'm taking a packaging workshop at College of Engineering Pune [1]. >>> >>> This is 4th day of the workshop and many have completed their packages >>> and are ready for upload. >>> >>> https://lists.debian.org/debian-dug-in/2016/12/msg1.html >>> >>> Initially some sent requests before I told them to give details about >>> their package. So please approve if the information is complete. >>> >> >> Hi, please don't add these people. >> >> People in the alioth group have read-write access to all pkg-javascript git >> repos as well as shell access on that machine. >> >> I don't think it's right to give this many people, who show up at an event, >> this level of access without any other requirement. It is too dangerous. >> >> I have rejected these requests and removed these people until they package a >> second package *in their own spare time* outside of an event. In the >> meantime, they can push their packages on github, this is adequate for a >> sponsored upload to Debian. > > I disagree with that approach, Ximian: > > We do not in this team have any rules for membership that one must first > prove her worth by packaging outside of Debian, not that they must use > their spare time doing so! > > I am concerned if people requesting to join are fully aware what it is > they join, which is why I asked about that. But I see nothing wrong > with approving people we don't know well. > > We must recognize that we have little security fencing the assets of > this team, and treat them accordingly (double-check what you pull, sign > changes you make, etc.). Making it harder to join this team does *not* > help secure our assets! > We don't have hard rules, but we all have our ideas about what is right or wrong. For you, it is a question of "are they aware". For me, I explained it in my other email, and it roughly overlaps with "are they aware". The security aspect is just one factor, not the main factor. But to give more detail, (a) just because we have "little" security, doesn't mean we have to make it quantitatively worse, which we will do if we add anyone that asks - it adds surface area. And (b) the standards of time and continual maintenance that I described elsewhere, also indicates that a person is careful about their general computing practices, which also helps to not-reduce security - compared to giving access to a random person. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
Pirate Praveen: > On വ്യാഴം 05 ജനുവരി 2017 05:23 വൈകു, Ximin Luo wrote: >> Hi, please don't add these people. >> >> People in the alioth group have read-write access to all pkg-javascript git >> repos as well as shell access on that machine. >> >> I don't think it's right to give this many people, who show up at an event, >> this level of access without any other requirement. It is too dangerous. > > They have been learning packaging and doing hands on work for 4 full > days (at least 8*4 hours of continuous packaging work). This is how we > add new people to a project. It is something that has to be fixed in the > tools. > >> I have rejected these requests and removed these people until they package a >> second package *in their own spare time* outside of an event. In the >> meantime, they can push their packages on github, this is adequate for a >> sponsored upload to Debian. > > I think they qualify the requirements we ask for any new contributor. > This has nothing to do with tools, as Jonas mentioned it is about a continual time dedication to a FOSS project. Please try to understand this. It is easy to find people that will do some work at an event under guidance, but this is very different from someone finding alioth in their own spare time and out of their own motivation. So the situation is different from typical contributors that make these requests. To be granted access, someone should demonstrate that they will properly take care of the things they claim responsibility for, not merely doing a one-time task at a fun event that temporarily is quite enjoyable. As I said, I will happily agree to accept any of these people if they send in a request at a later date, indicating that they have one of the latter qualities, either by packaging a second package or by showing that they have properly maintained the first package that they have taken on. Otherwise, from what you described, it doesn't seem like alioth access is vital for what these people want to do anyway. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 05:23 വൈകു, Ximin Luo wrote: > Hi, please don't add these people. > > People in the alioth group have read-write access to all pkg-javascript git > repos as well as shell access on that machine. > > I don't think it's right to give this many people, who show up at an event, > this level of access without any other requirement. It is too dangerous. They have been learning packaging and doing hands on work for 4 full days (at least 8*4 hours of continuous packaging work). This is how we add new people to a project. It is something that has to be fixed in the tools. > I have rejected these requests and removed these people until they package a > second package *in their own spare time* outside of an event. In the > meantime, they can push their packages on github, this is adequate for a > sponsored upload to Debian. I think they qualify the requirements we ask for any new contributor. signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] lots of requests to join pkg-javascript
On വ്യാഴം 05 ജനുവരി 2017 04:22 വൈകു, Jérémy Lal wrote: > This is great, but is this serious ? > Anyone knows what's happening ? Hi Jeremy, I'm taking a packaging workshop at College of Engineering Pune [1]. This is 4th day of the workshop and many have completed their packages and are ready for upload. https://lists.debian.org/debian-dug-in/2016/12/msg1.html Initially some sent requests before I told them to give details about their package. So please approve if the information is complete. Thanks Praveen signature.asc Description: OpenPGP digital signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] lots of requests to join pkg-javascript
This is great, but is this serious ? Anyone knows what's happening ? Jérémy -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
