On Пан, 25 жні 2025, Maxwell G wrote:
Hi,
It looks like the freeipa and retrace-server packages have invalid
primary maintainers. freeipa has a user named ipa-maint as the main
admin and retrace-server has a user named abrt-team as the main admin.
This is a problem for three reasons:
1. SIGs are not allowed to be listed as a primary maintainer, even
if the SIG is represented by a user. According to Kevin, it's possible
that these packages were grandfathered in before this policy was made;
2. Neither of these users are members of the packager group. I'm
not sure what would happen if this user were to try to log in to
distgit and make changes to the package configuration because of that;
3. These users have emeils configured in FAS that point to
@redhat.com Google Groups that don't allow outside posting. I got
bounces when I tried to send the orphaned packages report to this
email. This should be fixed in addition to the distgit permissions
issue. It's a problem to have an unreachable FAS email address.
Please consider handing these packages to a single maintainer as the
main admin and removing these psuedo-users from the package. You can
still set a Bugzilla override to this user (there's an "Edit" button
under the "Bugzilla Assignee" list on the distgit Pagure repo) so bugs
will still be assigned to your group without needing to give the user
actual privileges on that package. Please also take a look at the
broken Google Group configuration.
I am sending this to devel list for transparency and to increase the
chance that the right people see it since these psuedo-users' email
addresses are unreachable.
We certainly can do that for FreeIPA. However, I see a lot of issues
with this approach. In fact, FreeIPA indirectly depends on several packages
where a singular maintainer orphaned the package without consulting with
other maintainers and none of those were aware (and still did not act,
it seems) of the action.
For example, mod_wsgi was orphaned while there wasn't any intent to
orphan it. python-cherrypy is orphaned while it has plenty of
maintainers and no intent to orphan it (Ceph team at IBM depends on it).
When I consulted those maintainers, the answer was 'we are admins, we
intent to maintain packages, there is no problem here'. The package
still belongs to 'orphan' and none of the package maintainers received a
note about it.
It looks there is also no communication to all admins about the orphaning
event. E.g. when someone presses 'orphan' button on
src.fedoraproject.org, this is not really communicated elsewhere.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
