[Pkg-auth-maintainers] Maintainance of Yubikey-related packages

[Simon Josefsson]

Hello Nicolas,

Thanks for volunteering!  I tried to reach out to you earlier, when I
noticed that you did some work on pam-u2f.

The packages are group-maintained by the pkg-auth-maintainers group, so
by joining it you are effectively a maintainer of these packages.

Regarding push access, we could move the git repositories to alitoh, or
grant you write permission to the github repository.  Up to cc'ed
Yubico folks to decide, I don't have a strong opinion.

I believe your summary regarding the status of these packages is
unfair. I did work on the YubiKey packages in the last two months, and
as far as I can tell from my dashboard page, they are all in good shape
except for yubikey-piv-manager that have a new upload release.  Did you
look at old data, or are we looking at different things?

https://udd.debian.org/dmd.cgi?email1=simon%40josefsson.org

To be concrete, what is unmaintained about these packages?

Let's use the pkg-auth-maintainers list for discussion.  We could
revive it in the process.

Cheers,
/Simon

> Hi Alessio,
> 
> Thanks for the acknowledgment (of the NMUs, of the problematic
> situation, and of my previous email).
> 
> Before I go any further, I would like to state that none of what
> follows is intended to be personal critique, just contructive
> criticism.
> 
> 
> On Thu, Jul 14, 2016 at 06:34:14PM +0200, Alessio Di Mauro wrote:
> > There is a discussion about some of us becoming DM and doing this
> > properly, but I see no harm in adding more people to the group.
> 
> I think we would all benefit from the discussion taking place in
> public, for instance on the pkg-auth-maintainers mailing-list.
> 
> Indeed, I have the impression that part of the problem is that it
> isn't currently easy for fellow Debian contributors to help you
> maintain those packages or have some visibility on what is going on.
> 
> 
> FYI, I'm neither a Debian Developer nor a DM (so I do not have any
> upload rights whatsoever), yet I was able to solve the bugs impacting
> the packages I cared about:  becoming DMs will only give you the
> ability to upload newer versions of those packages without going
> through a sponsored upload, it will not magically solve the current
> situation.
> 
> 
> In particular, I think there are two aspects to the situation:
> - the packages are not being maintained;
> - it is unreasonably difficult for other people to help, because:
>   - nobody except you has push access to the packaging repo,
>     not even the team that is the listed uploader;
>   - the pkg-auth team seems dead anyway, though we can revive it;
>   - the state in the packaging repositories is completely
>     disconnected from the state in the archive:
>     - some versions were commited in Git (almost a year ago)
>       but never existed in the archive;
>     - none of the NMUs that occured have been imported in Git.
> 
> 
> Could you comment on my suggestion to push to Alioth packaging
> repositories with a sensible Git history, and advertise them (in the
> package metadata) as the actual packaging repos?
> 
> This would make it very easy to grant push access to all members of
> pkg-auth (and not have to manually maintain a copy of the member list
> on Github), and to take advantage of the existing tooling: the
> pkg-auth mailing list already receives ftp-master and BTS
> notifications, and the pkg-auth team has all relevant packages in its
> DPPO dashboard.
> 
> Moreover, this would be pretty easy to do once (at least) one of us
> is added to the pkg-auth team; for information, I already have such
> Git repos for pam-u2f, libu2f-host and libu2f-server.
> 
> 
> Best,
> 
>   nicoo
> 
> > Unfortunately however, most of the team is unavailable right now
> > due to summer leave. We'll resume the discussion as soon as
> > everybody is back, I just didn't want you to feel ignored or to
> > think that we're not interested in this issue.
> > 
> > Bye
> > A.
> > 
> > 
> > 
> > > From: "Nicolas Braud-Santoni" <nicolas at braud-santoni.eu>
> > > Date: Jul 8, 2016 18:39
> > > Subject: Maintainance of Yubikey-related packages
> > > To: <pkg-auth-maintainers at lists.alioth.debian.org>
> > > Cc: <klas at yubico.com>, <alessio at yubico.com>, <dain at yubico.com>
> > >
> > > Hi,
> > >
> > > It came to my attention that the pkg-auth team is the listed
> > > maintainer of several Yubikey-related packages which seem not to
> > > receive attention anymore.
> > >
> > > This concerns 14 packages[0], covering:
> > > - 25 bugs, including 5 RC bugs;
> > > - 8 packages with new upstream versions.
> > >
> > > In the case of the packages I'm most familiar with,
> > > libu2f-{host,server} and pam-u2f, trivial FTBFS bugs have stayed
> > > open 2-3 months without acknowledgement until they were solved by
> > > NMUs.
> > >
> > > I would like to join the team and take over maintainership of
> > > those 3 packages.  Moreover, I suggest we:
> > > - file RFAs for the other 11 packages;
> > > - move the packaging repositories to Alioth, so that we can
> > > actually maintain a state in Git that matches the state of the
> > > archive; this was a particularly frustrating issue when preparing
> > > my NMUs.
> > >
> > > Unfortunately, I do not even own the hardware required to use the
> > > remaining 11 packages, so I cannot possibly take over their
> > > maintenance.
> > >
> > >
> > > Best,
> > >
> > >   nicoo
> > >
> > >
> > > [0] libu2f-host, libu2f-server, pam-u2f, libykneomgr,
> > > python-pyhsm, python-yubico, yubico-pam, yubico-piv-tool,
> > > yubikey-ksm, yubikey-neo-manager, yubikey-personalization-gui,
> > >     yubikey-piv-manager, yubikey-val, yubikey-desktop
> > >
> > 
> > 
> > 
> > -- 
> > Alessio Di Mauro
> > Software Engineer | Yubico <http://www.yubico.com/>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signatur
URL: <http://lists.alioth.debian.org/pipermail/pkg-auth-maintainers/attachments/20160925/364c4e5d/attachment-0001.sig>