Re: Maintenance of python-cryptography
Hi! On Fri, Mar 15, 2024 at 4:19 AM Thomas Goirand wrote: > On 3/13/24 18:34, Scott Kitterman wrote: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979 > > > > Would some of you who are pushing so hard to change the policy for > Uploaders/ > > Maintainer in the team please step up and take over this package. It > really > > needs updated to the new upstream release (blocking both aioquic and > > dnspythong for me, I don't know about others). > > > > I haven't done a comprehensive check, but I think morph asked for all > the leaf > > packages he was maintaining in the team to be removed from the archive > and is > > removing himself from uploaders/maintainer on others. > > > > You all made this mess. Please clean it up. > > Absolutely not. Sandro did. There's btw absolutely no reason to declare > a package as "orphan" if it is supposed to be team maintained. It's also > a very bad behavior to do this silently, without telling the team about > it, or taking part of the thread. I very much regret things are > happening this way, but I don't think the rest of the team should be > held responsible. > > If you have the list of the packages matching what you are saying, > please do share. > I think you are looking for this https://lists.debian.org/debian-python/2024/03/msg00045.html > > On 3/14/24 08:52, Andreas Tille wrote: > > I would have prefered to > > read constructive arguments instead of silent leaving the team (in the > > sense of not informing the team mailing list about the leave). > > Me too. But I'm not surprised. > > > Cheers, > > Thomas Goirand (zigo) > >
Re: Maintenance of python-cryptography
On March 15, 2024 3:47:25 PM UTC, Thomas Goirand wrote: >On 3/15/24 13:52, Scott Kitterman wrote: >> >> >> On March 15, 2024 7:19:16 AM UTC, Thomas Goirand wrote: >>> On 3/14/24 08:52, Andreas Tille wrote: I would have prefered to read constructive arguments instead of silent leaving the team (in the sense of not informing the team mailing list about the leave). >>> >>> Me too. But I'm not surprised. >> >> I didn't have a list, I'm glad someone went through and made one. >> >> Yes, he might have handled his departure from the team differently, but I >> found the entire discussion about changing the team policy on setting the >> maintainer very off putting. I haven't talked to him about it beyond making >> sure he was aware of the discussion, so I don't know why he handled it the >> way he did, but I can easily imagine he was quite frustrated. >> >> Frankly, I think statements like the above aren't particularly consistent >> with the project CoC and have me thinking again about if this is the kind of >> team I care to be involved with. > >Which part? The one where I am saying that I'm not surprised? That in no way >should be taken badly, or as an attack on him. Let me explain then. > >I too, would prefer if Sandro didn't leave, even if I had difficult moments >when communicating with him. I stated it already, I did appreciate his >contribution to the team, and to the project at large. > >Though it's a fact that I was not surprised, because you mentioned it. We knew >in advance it could happen. Looking backward, it seems it was inevitable, >unfortunately. > >I'd be very sad to see you go as well, please stay. > >> While the way he left the team is on him, the fact that it even came up is >> 100% on the people pushing this change. > >I do not agree. It came up because what it was generating (frustration, flames >about "rogue uploads", you name it...) had to be addressed. > My level of frustration is not declining. I suggest to you that the source of the emails about rogue uploads were the rogue uploads. I think that not following the rules and then complaining that people called you on not following the rules has an obvious source. This was an avoidable own goal on the team's part because, in my judgement, there was too little openness to diversity of opinions on how to do things. Scott K
Re: Maintenance of python-cryptography
On 3/15/24 13:52, Scott Kitterman wrote: On March 15, 2024 7:19:16 AM UTC, Thomas Goirand wrote: On 3/14/24 08:52, Andreas Tille wrote: I would have prefered to read constructive arguments instead of silent leaving the team (in the sense of not informing the team mailing list about the leave). Me too. But I'm not surprised. I didn't have a list, I'm glad someone went through and made one. Yes, he might have handled his departure from the team differently, but I found the entire discussion about changing the team policy on setting the maintainer very off putting. I haven't talked to him about it beyond making sure he was aware of the discussion, so I don't know why he handled it the way he did, but I can easily imagine he was quite frustrated. Frankly, I think statements like the above aren't particularly consistent with the project CoC and have me thinking again about if this is the kind of team I care to be involved with. Which part? The one where I am saying that I'm not surprised? That in no way should be taken badly, or as an attack on him. Let me explain then. I too, would prefer if Sandro didn't leave, even if I had difficult moments when communicating with him. I stated it already, I did appreciate his contribution to the team, and to the project at large. Though it's a fact that I was not surprised, because you mentioned it. We knew in advance it could happen. Looking backward, it seems it was inevitable, unfortunately. I'd be very sad to see you go as well, please stay. While the way he left the team is on him, the fact that it even came up is 100% on the people pushing this change. I do not agree. It came up because what it was generating (frustration, flames about "rogue uploads", you name it...) had to be addressed. Cheers, Thomas Goirand (zigo)
Re: Maintenance of python-cryptography
On March 15, 2024 7:19:16 AM UTC, Thomas Goirand wrote: >On 3/13/24 18:34, Scott Kitterman wrote: >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979 >> >> Would some of you who are pushing so hard to change the policy for Uploaders/ >> Maintainer in the team please step up and take over this package. It really >> needs updated to the new upstream release (blocking both aioquic and >> dnspythong for me, I don't know about others). >> >> I haven't done a comprehensive check, but I think morph asked for all the >> leaf >> packages he was maintaining in the team to be removed from the archive and is >> removing himself from uploaders/maintainer on others. >> >> You all made this mess. Please clean it up. > >Absolutely not. Sandro did. There's btw absolutely no reason to declare a >package as "orphan" if it is supposed to be team maintained. It's also a very >bad behavior to do this silently, without telling the team about it, or taking >part of the thread. I very much regret things are happening this way, but I >don't think the rest of the team should be held responsible. > >If you have the list of the packages matching what you are saying, please do >share. > >On 3/14/24 08:52, Andreas Tille wrote: >> I would have prefered to >> read constructive arguments instead of silent leaving the team (in the >> sense of not informing the team mailing list about the leave). > >Me too. But I'm not surprised. I didn't have a list, I'm glad someone went through and made one. Yes, he might have handled his departure from the team differently, but I found the entire discussion about changing the team policy on setting the maintainer very off putting. I haven't talked to him about it beyond making sure he was aware of the discussion, so I don't know why he handled it the way he did, but I can easily imagine he was quite frustrated. Frankly, I think statements like the above aren't particularly consistent with the project CoC and have me thinking again about if this is the kind of team I care to be involved with. While the way he left the team is on him, the fact that it even came up is 100% on the people pushing this change. I don't think there's any evidence that some other reason is the cause. Also, for packages which are team maintained, but only have one uploader, orphaning is exactly the correct thing to do when that person gives up the package. A human uploader is required. Similarly, it's the maintainer's call if a package should be removed or if it can remain maintained by QA. While I agree more communication would have better, those are entirely appropriate actions for a team maintained package with a single uploader. Scott K
Re: Maintenance of python-cryptography
On 3/13/24 18:34, Scott Kitterman wrote: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979 Would some of you who are pushing so hard to change the policy for Uploaders/ Maintainer in the team please step up and take over this package. It really needs updated to the new upstream release (blocking both aioquic and dnspythong for me, I don't know about others). I haven't done a comprehensive check, but I think morph asked for all the leaf packages he was maintaining in the team to be removed from the archive and is removing himself from uploaders/maintainer on others. You all made this mess. Please clean it up. Absolutely not. Sandro did. There's btw absolutely no reason to declare a package as "orphan" if it is supposed to be team maintained. It's also a very bad behavior to do this silently, without telling the team about it, or taking part of the thread. I very much regret things are happening this way, but I don't think the rest of the team should be held responsible. If you have the list of the packages matching what you are saying, please do share. On 3/14/24 08:52, Andreas Tille wrote: > I would have prefered to > read constructive arguments instead of silent leaving the team (in the > sense of not informing the team mailing list about the leave). Me too. But I'm not surprised. Cheers, Thomas Goirand (zigo)
Re: Maintenance of python-cryptography
Hi Scott, Am Wed, Mar 13, 2024 at 11:39:50PM -0400 schrieb Scott Kitterman: > On Wednesday, March 13, 2024 1:34:14 PM EDT Scott Kitterman wrote: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979 > > > > Would some of you who are pushing so hard to change the policy for > > Uploaders/ Maintainer in the team please step up and take over this > > package. It really needs updated to the new upstream release (blocking > > both aioquic and dnspythong for me, I don't know about others). Reading the bug log of your request to upgrade this package has a hint from Tue, 13 Feb 2024 [1] that some rust dependencies need updates (thanks for the work on this Jérémy! BTW, I merged you 41.0.7-5 changes into master branch and closed bug #1046569 manualy) The discussion about Policy change started two weeks later[2]. I might miss the point in the connection you are drawing here. > > I haven't done a comprehensive check, but I think morph asked for all the > > leaf packages he was maintaining in the team to be removed from the archive > > and is removing himself from uploaders/maintainer on others. Your request to speak up[3] was not heard. I would have prefered to read constructive arguments instead of silent leaving the team (in the sense of not informing the team mailing list about the leave). > > You all made this mess. Please clean it up. I think the good intentions[4] in your sentences here are that you really care about this important package and you fear that it is left alone. So thanks for the pointer. What I did before your mail was sent: python-cryptography (42.0.5-1) UNRELEASED; urgency=medium * Team upload. * New upstream version Closes: #1059308 (CVE-2023-50782) Closes: #1064778 (CVE-2024-26130) Closes: #1063771, #1018159 * Reorder sequence of d/control fields by cme (routine-update) * watch file standard 4 (routine-update) * Enable building twice in a row Closes: #1046569 -- Andreas Tille Thu, 29 Feb 2024 10:20:49 +0100 Meanwhile I marked bugs #1059308 and #1064778 pending (they could be even closed but its good to have some record inside changelog if CVEs are involved[5]) I also closed bug #1018159 which remained open for no good reason and closed #1046569 manually since it was not mentioned in changelog of latest upload. Jérémy did: python-cryptography (41.0.7-5) unstable; urgency=medium * AMAU, Closes: #1064979 [ Andreas Tille ] * Enable building twice in a row -- Jérémy Lal Thu, 07 Mar 2024 13:42:35 +0100 > Actually, it looks like python-cryptography still has one uploader, but morph > was doing work on the package, it's complicated, Since Tristan Seligmann went MIA the package was uploaded by: -- Jérémy Lal Thu, 07 Mar 2024 13:42:35 +0100 -- Sandro Tosi Wed, 28 Feb 2024 12:23:58 -0500 -- Jérémy Lal Thu, 08 Feb 2024 15:34:30 +0100 -- Jérémy Lal Tue, 09 Jan 2024 01:14:48 +0100 -- Jérémy Lal Sun, 07 Jan 2024 13:24:39 +0100 -- Nicolas Dandrimont Tue, 08 Aug 2023 17:16:11 +0200 -- Sandro Tosi Tue, 28 Feb 2023 00:36:13 -0500 -- Stefano Rivera Sun, 08 Jan 2023 16:31:04 -0400 -- Sandro Tosi Thu, 15 Dec 2022 12:00:09 -0500 -- Debian Janitor Thu, 19 May 2022 05:05:36 - -- Stefano Rivera Wed, 18 May 2022 12:22:15 -0400 Comment: Debian Janitor did not really uploaded the package. The Uploader of the subsequent upload probably accidentaly forgot to merge the changelog entries. The Upload Sandro Tosi Wed, 28 Feb 2024 12:23:58 -0500 is simply orphaning the package. BTW, "orphaning" is defined by setting Debian QA team as maintainer. The package is not really orphaned but has DPT as maintainer. I understand your worries about this package but looking at these entries I do not see in how far the current status looks that bad. > and could use more help, not > less. Pyopenssl, on the other hand, is now unmaintained (no human uploader). Pyopenssl is lagging slightly behind upstream. Someone could care for #1047548 but I personally ignore such bugs until other work on the package needs to be done. I'm optimistic that someone will step up as Uploader. Kind regards Andreas. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063771#10 [2] https://lists.debian.org/debian-python/2024/02/msg00052.html [3] https://lists.debian.org/debian-python/2024/02/msg00060.html [4] https://salsa.debian.org/python-team/tools/python-modules/-/merge_requests/21 [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059308#25 -- http://fam-tille.de
Re: Maintenance of python-cryptography
On Wednesday, March 13, 2024 1:34:14 PM EDT Scott Kitterman wrote: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979 > > Would some of you who are pushing so hard to change the policy for > Uploaders/ Maintainer in the team please step up and take over this > package. It really needs updated to the new upstream release (blocking > both aioquic and dnspythong for me, I don't know about others). > > I haven't done a comprehensive check, but I think morph asked for all the > leaf packages he was maintaining in the team to be removed from the archive > and is removing himself from uploaders/maintainer on others. > > You all made this mess. Please clean it up. Actually, it looks like python-cryptography still has one uploader, but morph was doing work on the package, it's complicated, and could use more help, not less. Pyopenssl, on the other hand, is now unmaintained (no human uploader). Scott K signature.asc Description: This is a digitally signed message part.
