Hi all,
I'm Fabio Ruhland, a Google Summer of Code 2026 contributor working on DebNet, mentored by Arian Ott and Christian Kastner. DebNet uses UDD to model the archive as a dependency graph and a maintainer–package graph, and computes practical metrics (bus factor [1], dependency impact, and a fragility score [2]) to surface packages that are single points of failure. The aim is to complement WNPP, the MIA team, and qa.debian.org<http://qa.debian.org/> by flagging packages that are becoming undermaintained. Usually the precursor to orphaning, and far more common under maintainer overload, before they actually become orphaned. It's early, and since I want this to be genuinely useful, I'd value input from people who maintain packages day to day. A few specific questions: * What would make a fragility signal actually actionable for you, rather than just noise? * For bus factor, does counting distinct uploaders over a recent window (with team-maintained packages flagged separately) match how you'd think about it? * Any existing tools or prior work I should be building on rather than duplicating? More broadly, I'd welcome the perspective of people who have been doing this far longer than I have: failure modes you've seen where a package quietly became a single point of failure, quirks in the UDD data worth watching out for, or angles on archive resilience I might be missing. I won't be able to build everything in one GSoC, but I'd like the foundations to be shaped by real experience. And I'm happy to collect longer-term ideas on the wiki so nothing gets lost. Project page: https://wiki.debian.org/DebNet Thanks, Fabio (Salsa: ruhlando) [1] Bus factor: how many people would have to step away before a package loses active maintenance. Here, the distinct humans who actually uploaded it within a recent window (team addresses counted separately). [2] Fragility: low maintenance combined with high dependency impact. A package few people maintain but many others depend on. For example, a library with no active uploader for years that hundreds of packages still need to build or run: if it breaks, the breakage cascades and nobody is actively watching it.

