Re: Good communication with upstream is good idea
On Sun, 2008-07-20 at 12:16 -0400, Scott Kitterman wrote: > On Sunday 20 July 2008 12:05, Florian Weimer wrote: > > * Osamu Aoki: > > > I found some of my packages are offered as a part of Ubuntu archive. > > > > Same here. In my case (debsecan), it's a bit irresponsible because the > > package doesn't really work on Ubuntu--but it's not readily apparent to > > potential users. Furthermore, it uses server resources provided to > > Debian, and not to Ubuntu. > > > > What's the correct way to get it out of Unbuntu (universe)? I don't > > want to relicense it, but if asking politely does not work, it seems to > > be my only choice. > > The preferred way of 'asking politely' is a removal bug. The process is > described here: Which cannot be done without yet-another-website-login-combo-to-use-once-and-lose-forevermore - useless Ubuntu bug tracker. :-( I do feed info upstream (via yet more website logins), I really can't add yet another one. That was the main point of my original blog entry linked from the previous post. Having to ask the lazy web to sort out bugs in Ubuntu is just daft, IMHO, but that's what LP requires. As I say, daft. -- Neil Williams = http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ signature.asc Description: This is a digitally signed message part -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Good communication with upstream is good idea
Hi, I found some of my packages are offered as a part of Ubuntu archive. (Practically copied with minor adjustment.) That is good but I felt a bit strange since I needed to use my time to find it out. Then, I realized I am no better than the Ubuntu MOTU developers on how to deal with upstream as Debian Developer. I think we should encourage packager to contact upstream with simple "hello!" message and he (or myself) should be part of active upstream ML. After all, we all are human. Friendly "hello" always helps people. I know this is not something we need to have as policy but as a part of best practice document, it is good to mention. For Debian, "Developers Reference". If I miss it in "Developers Reference", I am sorry. I also appreciate Ubuntu MOTU developers who port Debian packages to do the same. (Or Ubuntu employees to encourage such action to their volunteer.) For Debian, please continue discussion on Debian list. If you think this is valid and have good English skill, please propose patch to Developers reference. For Ubuntu, please continue discussion on Ubuntu list while you may CC me since I do not subscribe to it. Please, do not flame. That is not my intension of this posting. Just a thought and suggestion to improve human relations in general. Osamu -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
On Sun, 2008-07-20 at 18:05 +0200, Florian Weimer wrote: > * Osamu Aoki: > > > I found some of my packages are offered as a part of Ubuntu archive. Have you found any that are not? > Same here. In my case (debsecan), it's a bit irresponsible because the > package doesn't really work on Ubuntu--but it's not readily apparent to > potential users. Furthermore, it uses server resources provided to > Debian, and not to Ubuntu. > > What's the correct way to get it out of Unbuntu (universe)? I don't > want to relicense it, but if asking politely does not work, it seems to > be my only choice. How would you relicence it in a manner that prevents use in Ubuntu but retains DFSG compatibility to remain in Debian main? Trying to ban Ubuntu usage would, AFAICT, fall foul of "discrimination against fields of endeavour". I ask because emdebian-tools isn't intended for Ubuntu either. See [0] - emdebian-tools also depends on server resources provided only by Debian (in this case, the package repositories containing compatible packages which I can use to generate cross-dependencies). "emdebian-tools is not intended for Ubuntu but I don't have a way of encoding that in the package. emdebian-tools is tightly integrated into Debian (and Debian unstable in particular) and is, naturally, a Debian native package (it was written to support Embedded Debian after all, not UbuntuMobile). It isn't intended to work on Ubuntu because Ubuntu does not provide the foreign packages needed for linking when cross building, those come exclusively from Debian. Same with apt-cross, it is exclusively designed for Debian, Debian mirrors and Debian buildd configurations. How is emdebian-tools meant to cross-build for ARM on Ubuntu when Ubuntu does not provide ARM packages and makes changes to the equivalent Debian packages? To me it seems highly unlikely that cross versions of Debian packages would install over a Ubuntu base, especially when those packages are the typical debootstrap selection that have a variety of changes in Ubuntu. I don't run Ubuntu, I have no inclination to test for Ubuntu and as no-one else has offered, I cannot support Ubuntu." How many packages could be in this situation? I don't expect it to be many. Some form of filter on the Ubuntu side may be necessary. Alternatively, is there a package that I can list in Conflicts: that is only present in Debian derivatives? Yes, any mechanism could be abused but MOTU-people could always file bugs in the BTS about such usage. [0] http://www.linux.codehelp.co.uk/serendipity/index.php?/archives/122-Migrating-Emdebian-changes-into-Debian,-not-Ubuntu.html -- Neil Williams = http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ signature.asc Description: This is a digitally signed message part -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
On Sunday 20 July 2008 12:05, Florian Weimer wrote: > * Osamu Aoki: > > I found some of my packages are offered as a part of Ubuntu archive. > > Same here. In my case (debsecan), it's a bit irresponsible because the > package doesn't really work on Ubuntu--but it's not readily apparent to > potential users. Furthermore, it uses server resources provided to > Debian, and not to Ubuntu. > > What's the correct way to get it out of Unbuntu (universe)? I don't > want to relicense it, but if asking politely does not work, it seems to > be my only choice. The preferred way of 'asking politely' is a removal bug. The process is described here: https://wiki.ubuntu.com/UbuntuDevelopment/PackageArchive?highlight=%28archive%29#head-6a4a4d2ad0cc004c6199f465539e3bbc2239291e or if you don't want to unwrap the long URL: http://preview.tinyurl.com/5ce4jk Other than reading the pacakge description just now, I'm not familiar with the package. Would it make more sense for someone in Ubuntu to adapt the package to work in the Ubuntu context than to remove it? It looks like it would be useful there too. Scott K -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
On Mon, Jul 21, 2008 at 2:13 AM, Steve Langasek <[EMAIL PROTECTED]> wrote: > You can close Launchpad bugs in Ubuntu packages from Debian. The "LP: ##" > syntax lets bugs get autoclosed when your package is synced to Debian, or > when it's merged by an Ubuntu developer. Thanks Steve, for this. I can now close bugs without worrying and not having LP account! -- Cheers, Kartik Mistry | 0xD1028C8D | IRC: kart_ Blogs: {ftbfs,kartikm}.wordpress.com -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
Hi Neil, On Sun, Jul 20, 2008 at 05:32:31PM +0100, Neil Williams wrote: > I ask because emdebian-tools isn't intended for Ubuntu either. See [0] - > emdebian-tools also depends on server resources provided only by Debian > (in this case, the package repositories containing compatible packages > which I can use to generate cross-dependencies). That doesn't seem particularly Debian-specific, though? It's not out of the question that Ubuntu could have an armel port later, and that's the only thing I can think of that /should/ cause emdebian-tools to be incompatible with Ubuntu. > "emdebian-tools is not intended for Ubuntu but I don't have a way of > encoding that in the package. emdebian-tools is tightly integrated into > Debian (and Debian unstable in particular) and is, naturally, a Debian > native package (it was written to support Embedded Debian after all, not > UbuntuMobile). It isn't intended to work on Ubuntu because Ubuntu does > not provide the foreign packages needed for linking when cross building, > those come exclusively from Debian. So if an armel port of Ubuntu becomes available, is there anything else that stops emdebian-tools from working with it? > Same with apt-cross, it is exclusively designed for Debian, Debian mirrors > and Debian buildd configurations. How does apt-cross have anything to do with the Debian buildds, at all? Surely you're not using this as a build-dependency to force Debian cross-builds on the Debian buildds, are you? Nor do I see how apt-cross would be affected by differences between a Debian vs. an Ubuntu mirror. (Ubuntu main is smaller than Debian main, but is still self-contained, to be sure.) > How is emdebian-tools meant to cross-build for ARM on Ubuntu when Ubuntu > does not provide ARM packages and makes changes to the equivalent Debian > packages? Hrm, what changes are at issue here? The Debian maintainers also make changes to Debian packages, all the time. In what way do the Ubuntu changes differ that makes emdebian-tools incompatible with Ubuntu? > To me it seems highly unlikely that > cross versions of Debian packages would install over a Ubuntu base, > especially when those packages are the typical debootstrap selection > that have a variety of changes in Ubuntu. I don't run Ubuntu, I have no > inclination to test for Ubuntu and as no-one else has offered, I cannot > support Ubuntu." While the current absence of any official Ubuntu armel port seems like a pretty good reason to omit emdebian-tools from Ubuntu for the moment, the fact that the Debian package maintainer or upstream author doesn't support Ubuntu would not generally be a reason for Ubuntu not to include the package. Debian also has any number of upstreams who don't "support" Debian, after all. > How many packages could be in this situation? I don't expect it to be > many. Some form of filter on the Ubuntu side may be necessary. Yes, there is a blacklist in Ubuntu to prevent certain packages from being synced from Debian. Scott Kitterman has already started the process now of getting emdebian-tools added to that list. BTW, in your cited blog post, I noticed that you wrote: > I really don't like Launchpad (I have quite enough web-logins thank you very > much) or the PTS link that shows Ubuntu bugs that I cannot close from > Debian. You can close Launchpad bugs in Ubuntu packages from Debian. The "LP: ##" syntax lets bugs get autoclosed when your package is synced to Debian, or when it's merged by an Ubuntu developer. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
Hi, On Tue, Jul 22, 2008 at 12:06:08PM +0200, Stephan Hermann wrote: > On Mon, 21 Jul 2008 21:59:37 +0200 > Florian Weimer <[EMAIL PROTECTED]> wrote: > > * Stephan Hermann: > > >> What's the correct way to get it out of Unbuntu (universe)? I > > >> don't want to relicense it, but if asking politely does not work, > > >> it seems to be my only choice. > > > > > What needs to be done to make it work on Ubuntu, too? > > > > debsecan needs to be patched to download CVE meta-data from Launchpad, > > and someone needs to maintain the data in Launchpad. > > So, we need somehow the CVE data from LP or from a source which is > being trusted by Ubuntu... > A relation between open CVEs in Ubuntu packages and closed CVEs in > ubuntu-security packages... > > I don't know how far the LP guys are in giving out this data, but I > know that we have the CVE tracker of Ubuntu (kees, jd, emgent > please jump in and fill in any gaps ;)) and we could use this data, > right? LP does not currently have a way to record all the information the security team needs recorded for our work, so we use the ubuntu-cve-tracker[1]. And another reason this isn't in LP yet is because there is no stable API for doing data queries -- asking LP for the CVE state of 500 installed packages would take a looong time right now. We are already outputting human-readable state information[2], so perhaps a long-term solution would be for someone to produce an output mode for the tracker on a per-package basis (right now the output is CVE-oriented). > Now I need to find the time to check the source in general, and how > difficult it will to patch it to our needs...and to make Florian > happy :) Perhaps the best short-term solution would be to have the tool check the LSB info and abort on non-Debian machines? -Kees [1] https://launchpad.net/ubuntu-cve-tracker/trunk [2] http://people.ubuntu.com/~ubuntu-security/cve/open.html -- Kees Cook Ubuntu Security Team -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
On Mon, 21 Jul 2008 21:59:37 +0200 Florian Weimer <[EMAIL PROTECTED]> wrote: > * Stephan Hermann: > > >> What's the correct way to get it out of Unbuntu (universe)? I > >> don't want to relicense it, but if asking politely does not work, > >> it seems to be my only choice. > > > What needs to be done to make it work on Ubuntu, too? > > debsecan needs to be patched to download CVE meta-data from Launchpad, > and someone needs to maintain the data in Launchpad. > So, we need somehow the CVE data from LP or from a source which is being trusted by Ubuntu... A relation between open CVEs in Ubuntu packages and closed CVEs in ubuntu-security packages... I don't know how far the LP guys are in giving out this data, but I know that we have the CVE tracker of Ubuntu (kees, jd, emgent please jump in and fill in any gaps ;)) and we could use this data, right? Now I need to find the time to check the source in general, and how difficult it will to patch it to our needs...and to make Florian happy :) \sh -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
I think that's cool, but don't understand where cvs-tracker comes in the picture. I'm adding ubuntu-harcoded to hear their opinions On Mon, 2008-07-21 at 15:07 +0200, Stephan Hermann wrote: > Moins Oliver :), re all :) > > On Mon, 21 Jul 2008 14:46:42 +0200 > Oliver Grawert <[EMAIL PROTECTED]> wrote: > > > hi, > > Am Montag, den 21.07.2008, 08:37 +0200 schrieb Stephan Hermann: > > > What needs to be done to make it work on Ubuntu, too? > > > > > > I think that's one of the easiest things to achieve...if something > > > is not working on Ubuntu, but it's something which works on debian, > > > we could make sure, it will work on Ubuntu too... > > that was my first thougth too, which made me test the tool to find it > > works just fine in 8.04 (indeed not taking ubuntu security updates > > into account that might have fixed the listed debian side issue > > already) ... what Florian was concerned about above is that it uses > > debian server resources to obtain the list, our userbase is big > > enough to put an inconvenient extra amount of bandwith onto their > > servers if i.e. someone blogs about the tool on planet.ubuntu.com ... > > Well, if that is really a problem... > > > so a server of any kind and someone to take care of it would be needed > > for a start, looking at the code some minor changes would be needed to > > the defaults to make it point to the ubuntu server instead of the > > debian one ... > > (and preferably the server sided list should take the USN list into > > account instead of the debian list of issues) > > if someone is going to fix this asap, I can provide bandwidth (or if > it's really a cool security update package tracker for debian and > ubuntu we can also ask to host the server side somewhere at CDC). > > But bandwidth is not a problem...and a server is always there... > > > \sh -- aka nxvl Key fingerprint = BCE4 27A0 D03E 55DE DA2D BE06 891D 8DEE 6545 97FE gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE signature.asc Description: This is a digitally signed message part -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
* Stephan Hermann: >> What's the correct way to get it out of Unbuntu (universe)? I don't >> want to relicense it, but if asking politely does not work, it seems >> to be my only choice. > What needs to be done to make it work on Ubuntu, too? debsecan needs to be patched to download CVE meta-data from Launchpad, and someone needs to maintain the data in Launchpad. -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
Moins Oliver :), re all :) On Mon, 21 Jul 2008 14:46:42 +0200 Oliver Grawert <[EMAIL PROTECTED]> wrote: > hi, > Am Montag, den 21.07.2008, 08:37 +0200 schrieb Stephan Hermann: > > What needs to be done to make it work on Ubuntu, too? > > > > I think that's one of the easiest things to achieve...if something > > is not working on Ubuntu, but it's something which works on debian, > > we could make sure, it will work on Ubuntu too... > that was my first thougth too, which made me test the tool to find it > works just fine in 8.04 (indeed not taking ubuntu security updates > into account that might have fixed the listed debian side issue > already) ... what Florian was concerned about above is that it uses > debian server resources to obtain the list, our userbase is big > enough to put an inconvenient extra amount of bandwith onto their > servers if i.e. someone blogs about the tool on planet.ubuntu.com ... Well, if that is really a problem... > so a server of any kind and someone to take care of it would be needed > for a start, looking at the code some minor changes would be needed to > the defaults to make it point to the ubuntu server instead of the > debian one ... > (and preferably the server sided list should take the USN list into > account instead of the debian list of issues) if someone is going to fix this asap, I can provide bandwidth (or if it's really a cool security update package tracker for debian and ubuntu we can also ask to host the server side somewhere at CDC). But bandwidth is not a problem...and a server is always there... \sh -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
hi, Am Montag, den 21.07.2008, 08:37 +0200 schrieb Stephan Hermann: > What needs to be done to make it work on Ubuntu, too? > > I think that's one of the easiest things to achieve...if something is > not working on Ubuntu, but it's something which works on debian, we > could make sure, it will work on Ubuntu too... that was my first thougth too, which made me test the tool to find it works just fine in 8.04 (indeed not taking ubuntu security updates into account that might have fixed the listed debian side issue already) ... what Florian was concerned about above is that it uses debian server resources to obtain the list, our userbase is big enough to put an inconvenient extra amount of bandwith onto their servers if i.e. someone blogs about the tool on planet.ubuntu.com ... so a server of any kind and someone to take care of it would be needed for a start, looking at the code some minor changes would be needed to the defaults to make it point to the ubuntu server instead of the debian one ... (and preferably the server sided list should take the USN list into account instead of the debian list of issues) ciao oli signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
Moins, On Sun, 20 Jul 2008 18:05:47 +0200 Florian Weimer <[EMAIL PROTECTED]> wrote: > * Osamu Aoki: > > > I found some of my packages are offered as a part of Ubuntu archive. > > Same here. In my case (debsecan), it's a bit irresponsible because > the package doesn't really work on Ubuntu--but it's not readily > apparent to potential users. Furthermore, it uses server resources > provided to Debian, and not to Ubuntu. > > What's the correct way to get it out of Unbuntu (universe)? I don't > want to relicense it, but if asking politely does not work, it seems > to be my only choice. > What needs to be done to make it work on Ubuntu, too? I think that's one of the easiest things to achieve...if something is not working on Ubuntu, but it's something which works on debian, we could make sure, it will work on Ubuntu too... \sh -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
Florian Weimer <[EMAIL PROTECTED]> writes: > What's the correct way to get it out of Unbuntu (universe)? I'd suggest filing a bug, and perhaps advertise it on the relevant developer mailing lists. > I don't want to relicense it, but if asking politely does not work, it > seems to be my only choice. Relicensing would most probably make the package end up in multiverse instead of univserse. In any case it would end up much confusion and very litte benefit for all involved parties. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
* Neil Williams: >> What's the correct way to get it out of Unbuntu (universe)? I don't >> want to relicense it, but if asking politely does not work, it seems to >> be my only choice. > > How would you relicence it in a manner that prevents use in Ubuntu but > retains DFSG compatibility to remain in Debian main? Relicensing would involve moving the package to non-free, that's correct. I could try some trademark stunt, but I don't want to spend any money on a trademark registration. I don't see why such cases (including yours) can't be resolved amicably. It's not rocket science, after all. > How many packages could be in this situation? I don't expect it to be > many. Some form of filter on the Ubuntu side may be necessary. > Alternatively, is there a package that I can list in Conflicts: that is > only present in Debian derivatives? Yes, any mechanism could be abused > but MOTU-people could always file bugs in the BTS about such usage. MOTU bugs should end up in the Canonical bug tracker. -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
2008/7/20 Florian Weimer <[EMAIL PROTECTED]>: > * Osamu Aoki: > >> I found some of my packages are offered as a part of Ubuntu archive. > > Same here. In my case (debsecan), it's a bit irresponsible because the > package doesn't really work on Ubuntu--but it's not readily apparent to > potential users. Furthermore, it uses server resources provided to > Debian, and not to Ubuntu. > > What's the correct way to get it out of Unbuntu (universe)? I don't > want to relicense it, but if asking politely does not work, it seems to > be my only choice. Packages are automatically synced from Debian as part of the development process, if a package doesn't want to be in Ubuntu then as far as I know there needs to be a manual override set up. Relicensing your software to stop other people redistributing seems like overkill to be honest, and no doubt would cause your package to break the Debian Free Software Guidelines. You can't release under a free license and keep 100% control over redistribution! Caroline -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
Re: Good communication with upstream is good idea
* Osamu Aoki: > I found some of my packages are offered as a part of Ubuntu archive. Same here. In my case (debsecan), it's a bit irresponsible because the package doesn't really work on Ubuntu--but it's not readily apparent to potential users. Furthermore, it uses server resources provided to Debian, and not to Ubuntu. What's the correct way to get it out of Unbuntu (universe)? I don't want to relicense it, but if asking politely does not work, it seems to be my only choice. -- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu