Hello what is hopefully the Debian TC. I recently had a weird experience on a Debian bug as an upstream software author. I am not a Debian Developer.
The relevant artifacts are: * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132795 * https://github.com/mikalstill/pngtools/issues/37 * https://www.madebymikal.com/is-this-the-standard-of-behavior-we-get-from-debian-now/ * https://www.madebymikal.com/lets-see-if-the-debian-complaints-process-gets-anywhere/ And to a lesser extent the discussion at https://www.linkedin.com/feed/update/urn:li:activity:7471777300879982592/ although I understand that some aren't super into walled garden business themed social networks. I raised the conduct I experienced with [email protected] and while disappointed that the answer (below) appears to be that this is aligned with Debian's expectations of upstream interactions, I am more concerned about another issue. I want to be super clear that I genuinely don't care about a cosmetic patch to pngtools because of one complaining and quite rude user. What I do care about is that I think the experience demonstrated that there isn't much if any review process for these patches being added. I would like to understand how Debian ensures that supply chain attacks aren't being inserted into packages at this packaging layer given they appear to be able to be landed by a single Debian Developer without any internal review. Surely this class of attacks should be of concern to Debian just as much as people's freedom to own and change the software they run? Thanks, Michael ---------- Forwarded message --------- From: Michael Still <[email protected]> Date: Wed, Jun 17, 2026 at 5:43 AM Subject: Re: Complaint regarding conduct on bug 1132795 To: <[email protected]> Cc: <[email protected]>, <[email protected]> Honestly, this is a disappointing response while being aligned with my expectations. The Debian Developer on that bug, "atzlinux" / "xiao sheng wen" failed to either attempt to address the unacceptable behaviour of the others in the bug and in several cases encouraged that behaviour: The Debian code of coduct calls for community members to be respectful / collaborative: atzlinux failed to file a meaningful bug upstream. The entire bug report from him is "“Resolution: (not specified)” is pointless. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132795. Thanks!". Largely this entire experience for me has flowed by atzlinux failing to do a reasonable job of that first minimal step, and then failing to intervene and course correct when his actions snowballed. I replied to artzlinux's terse bug report and asked for the bug commenters to stop describing me as "unwell" and discussing my mental health, and requesting more details and a justification for why the behaviour was erroneous given it was specifically added to address a previous bug. I haven in fact never said I would refuse to take the patch, I have asked for a meaningful and respectful conversation. The other users continued in their personal attacks and again instead of trying to settle things down he simply landed a patch in Debian instead of replying to me. I understand that Debian believes in software freedom, including the right of Debian Maintainers to patch upstream code. I have been using Debian a very long time and know a lot of Debian Developers. However, I think this bug has made me realise that Debian lacks a quality control process to ensure that those patches are reviewed by more than their author, and align with the overall intent of Debian. I am surprised that the idea that a supply chain attack could be added at the Debian packaging level appears to have not been considered at all. Michael On Wed, Jun 17, 2026 at 4:33 AM Don Armstrong <[email protected]> wrote: > On Mon, 15 Jun 2026, Michael Still wrote:n > > I am the author and maintainer of pngtools, a PNG image tooling > > package that has been packaged by Debian for a long time. > > Thank you for your contributions to FOSS. > > > I have recently experienced conduct from Debian developers and users > > on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132795 > > There is exactly one Debian Developer in that discussion, atzlinux. > Everyone else is a user. > > Everyone is also communicating in a language (english) which does not > appear to be their native language, so please give everyone grace as > they occasionally use imprecise language. > > While ideally every patch that Debian produces gets upstreamed, Debian > developers can (and frequently do) decide to carry patches that diverge > from upstream to better serve our users and the distribution. If you > disagree, the best way to do so is to engage with the Debian Developer > and explain why you think they should use a different approach. > > At the end of the day, we're all volunteers; direct engagement assuming > good intent yields the best outcomes. > > > Thanks! > > -- > Don Armstrong https://www.donarmstrong.com > > life's not a paragraph > And death i think is no parenthesis > -- e.e. cummings "Four VII" _is 5_ >
