Re: [arch-general] [arch-dev-public] signoffs are dead

[Jayesh Badwaik]

Please don't top post. 

http://www.idallen.com/topposting.html

-- 
Cheers
Jayesh Badwaik

signature.asc
Description: This is a digitally signed message part.

Re: [arch-general] [arch-dev-public] signoffs are dead

[Lukas Rose]

I've noticed more issues than usual in the last few weeks as well. Including 
one big issue that prevented my whole system from booting (just a black screen 
with flashing cursor, not even a command prompt let alone my lightdm login 
screen). I didn't file bug reports for those, since I am very busy with 
studying, so in case such a bug happens I just restore my binaries from a 
backup and use that until the issue is resolved by updates. That's faster than 
searching for and reproducing the issue to file a bug report. I guess some of 
those issues might have been prevented by sign offs. Quality assurance is a big 
deal in modern computer systems because of their complexity. That applies even 
for non-profit organisations like the Arch Linux community is.

>> On 29 Jun 2016, at 09:06, Jack L. Frost  wrote:
>> On Wed, Jun 29, 2016 at 07:36:49AM +0200, Ralf Mardorf wrote:
>> I couldn't notice more issues as usual
> Same here, no more issues than usual

Re: [arch-general] [arch-dev-public] signoffs are dead

[Genes Lists via arch-general]

On Sat, 2016-07-02 at 09:16 +1000, Allan McRae wrote:
> 
> This sounds like the Fedora policy where packages have to surpass a
> certain karma level to move into the main repositories.  I'm not sure
> who gets to vote for that though.
> 
> A
   I would suggest allowing any Arch user vote yay or nay (with
comments) - I believe this is what fedora did - only requirement was to
be a registered user of the website. I don't imagine significantly more
information will be obtained beyond the issues raised now in the mail
list and forum. However, it does have the advantage of putting it in a
single place for the packager.
gene

Re: [arch-general] [arch-dev-public] signoffs are dead

[Jens Adam]

Wed, 29 Jun 2016 21:51:17 +0200
Florian Pritz via arch-dev-public :

> Maybe we should look into finding some people that want to help test
> stuff and give them permissions to sign off on packages?

+1
Sign me up, running [testing] for a decade now anyway, on x86_64 and
i686.

--byte


pgpOmTnKTxlIK.pgp
Description: Digitale Signatur von OpenPGP

Re: [arch-general] [arch-dev-public] signoffs are dead

[Kyle Terrien via arch-general]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, 29 Jun 2016 21:51:17 +0200
Florian Pritz via arch-dev-public  wrote:
> As pointed out on arch-general (not by me) this makes the whole
> signoff process useless. Maybe we should look into finding some
> people that want to help test stuff and give them permissions to sign
> off on packages?
> 
> Florian

Yes, this sounds like a very good idea.

Until now, I have had no reason to run a container/VM with the testing
repos enabled.  However, if signoffs are opened up to a wider community,
I think I might just try it out.

It is great to catch problems before they are pushed to production.

- --Kyle
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXdK22AAoJEN5rMzXPJBsQVcIQAI0LrK2wMCGGabqCidDlJ9wC
0M7RD8KQOEe+OtGzZYBr0qRTzsaM5tV/7GVlq/OgX6Wi2l26jsgightfUwj2STHj
c2fjJg+VyHZd20YdHCP2Zfvqqq//3TyesCgc/9wvltqE+tB0WPr97K6GS5adIKV4
wGFqDEsf8KXLhPJFE8cHD7gx+RnBLg392NLOpBWwlQJB61hV6cv5IMgjC06ZeQdM
UQ3GeUx4gQ3eUByHUFQDsaocFEef3lSqlySw0fM68ZPOlnBeF00tJhWYGBVy6spS
5KTeCVpGW86Zkb0jrxEuEgBYZj8AtMOYSHijCioZRkhKSkUs0rwcfeyf7+dsJgle
4tDZK57nJZZNFmX8+mPBPOyWXr3VCfGQx/ob60vb6Ky2uL+nFhBbs1qgokrvYWMw
nIMl7GH1UTo+kgzuMM17I9gUCmg+L4slclCv/6cRzUCVe8tw4t2imZPiUFC6nyPA
Xjejd92zNcQApd/tVUap8UDVwJTS1wcGCjKKC+3RX9IH/GdmPOdphDvzCXmmnJHM
0dOM+60+NrUOeda1A3sE2lRyrdhUxVOpfoy4c3FCJIQWiD6ezeMIzAqB3iwISw/B
CNy6QH4aEBxhyckFQJk7jZ9P0g8PltZ+nUrrNX+iWNkLpFOXhpn38fy7M66b/aca
08Dz3JiOtzK1A2y1Afi7
=r3gL
-END PGP SIGNATURE-

Re: [arch-general] [arch-dev-public] signoffs are dead

[Ismael Bouya]

Hey there,
At some point I started to receive those "signoff" message on one of the list
I'm subscribed to. I searched on the wiki what that meant, but with no result. I
see that on https://wiki.archlinux.org/index.php/Official_repositories you
mention in one sentence what it is, but sorry it's not clear what I can do about
that. I also spend maybe half an hour trying to find that in my profile, with no
result either. I concluded that maybe it was something for only trusted users,
and it was just not my business.

Maybe the first step before considering the signoff "dead" would be to educate
people on how to do that? It might be obvious to the Trusted users on how
everything works. As far as I am concerned, I have no idea of the packaging
process apart from AUR. All the technical parts are now natural to me, but all
the "human" process is completely obscure.

Kind regards,

(Tue, Jun 28, 2016 at 07:28:10PM -0700) Kyle Terrien via arch-general :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> I am replying to arch-general because arch-dev-public is closed to most
> users.
> 
> On Tue, 28 Jun 2016 08:09:41 -1000
> Gaetan Bisson  wrote:
> > Dear all,
> > 
> > For a while now packages in [testing] have gotten little to no
> > signoffs and I've been moving mine to [core] after a week without
> > feedback. I suspect many of you have been doing this too. Here's the
> > signoff reports over the last ten days:
> > 
> > - June 19: 0 signoffs
> > - June 20: 6 from me, 4 from anthraxx
> > - June 21: 0
> > - June 22: 5 from me
> > - June 23: 2 from demize
> > - June 24: 1 from me
> > - June 25: 0
> > - June 26: 1 from me
> > - June 27: 3 from me, 1 from eworm
> > - June 28: 3 from heftig, 2 from arojas
> > 
> > So I've decided to shorten the wait in [testing] to 48 hours. Many
> > updates to [core] packages include security fixes and they have better
> > move sooner rather than later. We used to be able to gather enough
> > signoffs to move these within a day or two, and that's what I intend
> > to do with or without signoffs.
> > 
> > Any comment, and especially any other idea to fix this situation, is
> > welcome.
> > 
> > Cheers.
> 
> First, I am an Arch user (for 3 years now) not an Arch dev, and I
> realize I have no right to tell anyone how to run the distribution.
> What follows is just my personal recommendation based on working
> software QA professionally.
> 
> With that said, I think eliminating signoffs is a bad idea.
> 
> Signoffs ensure some form of quality control.  A signoff is an explicit
> approval from someone that the package is satisfactory to his/her
> standards.  A potential signee has a completely different perspective
> than the packager and a different way of verifying that the packager's
> package is correct.  This sort of approval process catches errors that
> would otherwise escape the packager's notice.  Simply waiting a period
> of time without hearing complaints is not equivalent to explicit
> approval from others.
> 
> I have personally experienced several breakages in the past several
> months--more than usual.  A few were big enough that simply running 'foo
> - --version' should have revealed a problem (i.e.  linking problems).  A
> signoff process would have very likely caught these problems.
> 
> IMHO, the correct thing to do is remind other developers of the signoff
> policy.  (And the above post to arch-dev-general certainly does just
> that.)  Encouraging another set of eyes to look at someone's work and
> say, "This looks good to me," is a very good thing and does wonders in
> terms of quality control.
> 
> If getting security fixes pushed out is a concern, then getting the
> security related fixes signed off should be prioritized.  (Maybe by
> putting in a flag that automatically triggers a mail to arch-dev-public)
> 
> Respectfully yours,
> - --Kyle Terrien
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJXczI6AAoJEN5rMzXPJBsQASIP+gLGiQbQVrg/mNVDacXaHuEK
> 8H3QQz9amQMwgQXq8Mh17HWfbiQMQMWD48O9CBP+fUyWLVPOxs6g4H/aXFiIm4G+
> Qw6/vWfgQaGjY60nLJ7D8/NVq9PwXSPEYF1cA8/6D7JtuotwXxCFENiNR9Qki7Un
> 3QCXRI6Z/KKGcpBvpIsa++qDeZuXnSTy00ZJO5EFYxTi+AUBEyffHX/bS2IUCOkC
> tUWxtoVIix4buD32/tCnPz19wku9MylddYBzNuB1qCD1NG6XLsxmn8WiHGeoiy+E
> uFwjxPgDx0MaldNNJzubC2LQD/osdTDTTPwDf2M0c802FI+pHxlj/Dk9imz86NFA
> 9xPH8WJ1cfiVTue0BkRJXlR2eI0VIPSqAbpcDCfzCwYbrFuFoqwszpET03PtF/Y4
> 5tfZHLODiFpDc9Whu5o4ejzf4p/eMUN3xmwUp+8cguFcSmjBSPvYvRbgI8puiPRm
> Al5xYxnrmghEf9R5fIRUWoHlsGNNMrmd1MKquJ6i1+Dkf0pmUK4t58G3crWjFb7+
> laMUKYRmH+LwYhxvET562E8EM8QYYtow+PietZssC7ZhjGa1sG70FahQWCijmIj6
> TdpfCiNgmQ8AF4C4JXhzZvONtdYzUeNSgiv/FkA9T4n9Xje/ZCUhyM+inaqmA/5A
> ComaWc2SjeM8gTBfdPQa
> =E42/
> -END PGP SIGNATURE-

-- 
Ismael


signature.asc
Description: Digital signature

Re: [arch-general] [arch-dev-public] signoffs are dead

[Jack L. Frost]

On Wed, Jun 29, 2016 at 07:36:49AM +0200, Ralf Mardorf wrote:
> Excepted of issues that happen, if upstream decides to make a change of
> course, as e.g. gtk or qt did, I couldn't notice more issues as usual.

Same here, no more issues than usual, and I even run a bastard version of Arch
with my own meta-repo. Would have probably noticed.


signature.asc
Description: PGP signature

Re: [arch-general] [arch-dev-public] signoffs are dead

[Ralf Mardorf]

On Tue, 28 Jun 2016 19:28:10 -0700, Kyle Terrien via arch-general wrote:
>I have personally experienced several breakages in the past several
>months--more than usual.  A few were big enough that simply running
>'foo - --version' should have revealed a problem (i.e.  linking
>problems). A signoff process would have very likely caught these
>problems.

Could you provide some examples, by linking to the bug reports?

Excepted of issues that happen, if upstream decides to make a change of
course, as e.g. gtk or qt did, I couldn't notice more issues as usual.

Regards,
Ralf

Re: [arch-general] [arch-dev-public] signoffs are dead

[Kyle Terrien via arch-general]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I am replying to arch-general because arch-dev-public is closed to most
users.

On Tue, 28 Jun 2016 08:09:41 -1000
Gaetan Bisson  wrote:
> Dear all,
> 
> For a while now packages in [testing] have gotten little to no
> signoffs and I've been moving mine to [core] after a week without
> feedback. I suspect many of you have been doing this too. Here's the
> signoff reports over the last ten days:
> 
> - June 19: 0 signoffs
> - June 20: 6 from me, 4 from anthraxx
> - June 21: 0
> - June 22: 5 from me
> - June 23: 2 from demize
> - June 24: 1 from me
> - June 25: 0
> - June 26: 1 from me
> - June 27: 3 from me, 1 from eworm
> - June 28: 3 from heftig, 2 from arojas
> 
> So I've decided to shorten the wait in [testing] to 48 hours. Many
> updates to [core] packages include security fixes and they have better
> move sooner rather than later. We used to be able to gather enough
> signoffs to move these within a day or two, and that's what I intend
> to do with or without signoffs.
> 
> Any comment, and especially any other idea to fix this situation, is
> welcome.
> 
> Cheers.

First, I am an Arch user (for 3 years now) not an Arch dev, and I
realize I have no right to tell anyone how to run the distribution.
What follows is just my personal recommendation based on working
software QA professionally.

With that said, I think eliminating signoffs is a bad idea.

Signoffs ensure some form of quality control.  A signoff is an explicit
approval from someone that the package is satisfactory to his/her
standards.  A potential signee has a completely different perspective
than the packager and a different way of verifying that the packager's
package is correct.  This sort of approval process catches errors that
would otherwise escape the packager's notice.  Simply waiting a period
of time without hearing complaints is not equivalent to explicit
approval from others.

I have personally experienced several breakages in the past several
months--more than usual.  A few were big enough that simply running 'foo
- --version' should have revealed a problem (i.e.  linking problems).  A
signoff process would have very likely caught these problems.

IMHO, the correct thing to do is remind other developers of the signoff
policy.  (And the above post to arch-dev-general certainly does just
that.)  Encouraging another set of eyes to look at someone's work and
say, "This looks good to me," is a very good thing and does wonders in
terms of quality control.

If getting security fixes pushed out is a concern, then getting the
security related fixes signed off should be prioritized.  (Maybe by
putting in a flag that automatically triggers a mail to arch-dev-public)

Respectfully yours,
- --Kyle Terrien
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXczI6AAoJEN5rMzXPJBsQASIP+gLGiQbQVrg/mNVDacXaHuEK
8H3QQz9amQMwgQXq8Mh17HWfbiQMQMWD48O9CBP+fUyWLVPOxs6g4H/aXFiIm4G+
Qw6/vWfgQaGjY60nLJ7D8/NVq9PwXSPEYF1cA8/6D7JtuotwXxCFENiNR9Qki7Un
3QCXRI6Z/KKGcpBvpIsa++qDeZuXnSTy00ZJO5EFYxTi+AUBEyffHX/bS2IUCOkC
tUWxtoVIix4buD32/tCnPz19wku9MylddYBzNuB1qCD1NG6XLsxmn8WiHGeoiy+E
uFwjxPgDx0MaldNNJzubC2LQD/osdTDTTPwDf2M0c802FI+pHxlj/Dk9imz86NFA
9xPH8WJ1cfiVTue0BkRJXlR2eI0VIPSqAbpcDCfzCwYbrFuFoqwszpET03PtF/Y4
5tfZHLODiFpDc9Whu5o4ejzf4p/eMUN3xmwUp+8cguFcSmjBSPvYvRbgI8puiPRm
Al5xYxnrmghEf9R5fIRUWoHlsGNNMrmd1MKquJ6i1+Dkf0pmUK4t58G3crWjFb7+
laMUKYRmH+LwYhxvET562E8EM8QYYtow+PietZssC7ZhjGa1sG70FahQWCijmIj6
TdpfCiNgmQ8AF4C4JXhzZvONtdYzUeNSgiv/FkA9T4n9Xje/ZCUhyM+inaqmA/5A
ComaWc2SjeM8gTBfdPQa
=E42/
-END PGP SIGNATURE-