[Pkg-auth-maintainers] Maintainance of Yubikey-related packages

Nicolas Braud-Santoni nicolas at braud-santoni.eu
Thu Jul 14 18:25:49 UTC 2016

Hi Alessio,

Thanks for the acknowledgment (of the NMUs, of the problematic situation,
and of my previous email).

Before I go any further, I would like to state that none of what follows is
intended to be personal critique, just contructive criticism.

On Thu, Jul 14, 2016 at 06:34:14PM +0200, Alessio Di Mauro wrote:
> There is a discussion about some of us becoming DM and doing this properly,
> but I see no harm in adding more people to the group.

I think we would all benefit from the discussion taking place in public,
for instance on the pkg-auth-maintainers mailing-list.

Indeed, I have the impression that part of the problem is that it isn't
currently easy for fellow Debian contributors to help you maintain those
packages or have some visibility on what is going on.

FYI, I'm neither a Debian Developer nor a DM (so I do not have any upload
rights whatsoever), yet I was able to solve the bugs impacting the packages
I cared about:  becoming DMs will only give you the ability to upload newer
versions of those packages without going through a sponsored upload,
it will not magically solve the current situation.

In particular, I think there are two aspects to the situation:
- the packages are not being maintained;
- it is unreasonably difficult for other people to help, because:
  - nobody except you has push access to the packaging repo,
    not even the team that is the listed uploader;
  - the pkg-auth team seems dead anyway, though we can revive it;
  - the state in the packaging repositories is completely
    disconnected from the state in the archive:
    - some versions were commited in Git (almost a year ago)
      but never existed in the archive;
    - none of the NMUs that occured have been imported in Git.

Could you comment on my suggestion to push to Alioth packaging repositories
with a sensible Git history, and advertise them (in the package metadata)
as the actual packaging repos?

This would make it very easy to grant push access to all members of pkg-auth
(and not have to manually maintain a copy of the member list on Github),
and to take advantage of the existing tooling: the pkg-auth mailing list
already receives ftp-master and BTS notifications, and the pkg-auth team
has all relevant packages in its DPPO dashboard.

Moreover, this would be pretty easy to do once (at least) one of us is added
to the pkg-auth team; for information, I already have such Git repos for
pam-u2f, libu2f-host and libu2f-server.



> Unfortunately however, most of the team is unavailable right now due to
> summer leave. We'll resume the discussion as soon as everybody is back, I
> just didn't want you to feel ignored or to think that we're not interested
> in this issue.
> Bye
> A.
> > From: "Nicolas Braud-Santoni" <nicolas at braud-santoni.eu>
> > Date: Jul 8, 2016 18:39
> > Subject: Maintainance of Yubikey-related packages
> > To: <pkg-auth-maintainers at lists.alioth.debian.org>
> > Cc: <klas at yubico.com>, <alessio at yubico.com>, <dain at yubico.com>
> >
> > Hi,
> >
> > It came to my attention that the pkg-auth team is the listed maintainer
> > of several Yubikey-related packages which seem not to receive attention
> > anymore.
> >
> > This concerns 14 packages[0], covering:
> > - 25 bugs, including 5 RC bugs;
> > - 8 packages with new upstream versions.
> >
> > In the case of the packages I'm most familiar with, libu2f-{host,server}
> > and pam-u2f, trivial FTBFS bugs have stayed open 2-3 months without
> > acknowledgement until they were solved by NMUs.
> >
> > I would like to join the team and take over maintainership of those 3
> > packages.  Moreover, I suggest we:
> > - file RFAs for the other 11 packages;
> > - move the packaging repositories to Alioth, so that we can actually
> >   maintain a state in Git that matches the state of the archive;
> >   this was a particularly frustrating issue when preparing my NMUs.
> >
> > Unfortunately, I do not even own the hardware required to use the
> > remaining 11 packages, so I cannot possibly take over their maintenance.
> >
> >
> > Best,
> >
> >   nicoo
> >
> >
> > [0] libu2f-host, libu2f-server, pam-u2f, libykneomgr, python-pyhsm,
> >     python-yubico, yubico-pam, yubico-piv-tool, yubikey-ksm,
> >     yubikey-neo-manager, yubikey-personalization-gui,
> >     yubikey-piv-manager, yubikey-val, yubikey-desktop
> >
> -- 
> Alessio Di Mauro
> Software Engineer | Yubico <http://www.yubico.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-auth-maintainers/attachments/20160714/a290ef19/attachment.sig>

More information about the Pkg-auth-maintainers mailing list