[Pkg-auth-maintainers] Maintainance of Yubikey-related packages

Nicolas Braud-Santoni nicolas at braud-santoni.eu
Mon Sep 26 15:17:49 UTC 2016 

Hi Simon,

On Sun, Sep 25, 2016 at 09:00:45PM +0200, Simon Josefsson wrote:
> Thanks for volunteering!  I tried to reach out to you earlier, when I
> noticed that you did some work on pam-u2f.

Oh, sorry for missing your messages.

I explicitely checked for messages from @yubico a few times, because
I was surprised not to get an answer beyond Alessio's.  However, I have
been fairly ill and unable to keep up with all my inbox  :(

If I'm not responding, you can always try instant messaging:

  https://nicolas.braud-santoni.eu/otr.asc


> The packages are group-maintained by the pkg-auth-maintainers group, so
> by joining it you are effectively a maintainer of these packages.

Yes, that's why I did it during Debconf.  :)


> I believe your summary regarding the status of these packages is
> unfair. I did work on the YubiKey packages in the last two months, and
> as far as I can tell from my dashboard page, they are all in good shape
> except for yubikey-piv-manager that have a new upload release.  Did you
> look at old data, or are we looking at different things?
> 
> https://udd.debian.org/dmd.cgi?email1=simon%40josefsson.org
> 
> To be concrete, what is unmaintained about these packages?
> 
> Let's use the pkg-auth-maintainers list for discussion.  We could
> revive it in the process.

All my messages with the Yubico were CC to pkg-auth-maintainers,
but were stuck in the moderation queue for around 2 months.

That means the snark was directed at the state of the packages then,
which was markedly worse than it is now.  From my first mail:

> This concerns 14 packages[0], covering:
> - 25 bugs, including 5 RC bugs;
> - 8 packages with new upstream versions.
>
> In the case of the packages I'm most familiar with,
> libu2f-{host,server} and pam-u2f, trivial FTBFS bugs have stayed
> open 2-3 months without acknowledgement until they were solved by
> NMUs.


> Regarding push access, we could move the git repositories to alitoh, or
> grant you write permission to the github repository.  Up to cc'ed
> Yubico folks to decide, I don't have a strong opinion.

Given the lack of response from the aformentionned Yubico folks over the
last 2 months, and given that the current situation makes collaboration
difficult, I did go ahead during the Salzburg BSP and moved the repos
for pam-u2f and libu2f-{host,server} to Alioth.

I didn't do this lightly, as it is just shy of a hostile takeover of
the package, except that you are both working with them and a pkg-auth
admin; it would be highly helpful, I believe, if you could invite
Alessio & other in pkg-auth.


Best,

  nicoo

> > Hi Alessio,
> > 
> > Thanks for the acknowledgment (of the NMUs, of the problematic
> > situation, and of my previous email).
> > 
> > Before I go any further, I would like to state that none of what
> > follows is intended to be personal critique, just contructive
> > criticism.
> > 
> > 
> > On Thu, Jul 14, 2016 at 06:34:14PM +0200, Alessio Di Mauro wrote:
> > > There is a discussion about some of us becoming DM and doing this
> > > properly, but I see no harm in adding more people to the group.
> > 
> > I think we would all benefit from the discussion taking place in
> > public, for instance on the pkg-auth-maintainers mailing-list.
> > 
> > Indeed, I have the impression that part of the problem is that it
> > isn't currently easy for fellow Debian contributors to help you
> > maintain those packages or have some visibility on what is going on.
> > 
> > 
> > FYI, I'm neither a Debian Developer nor a DM (so I do not have any
> > upload rights whatsoever), yet I was able to solve the bugs impacting
> > the packages I cared about:  becoming DMs will only give you the
> > ability to upload newer versions of those packages without going
> > through a sponsored upload, it will not magically solve the current
> > situation.
> > 
> > 
> > In particular, I think there are two aspects to the situation:
> > - the packages are not being maintained;
> > - it is unreasonably difficult for other people to help, because:
> >   - nobody except you has push access to the packaging repo,
> >     not even the team that is the listed uploader;
> >   - the pkg-auth team seems dead anyway, though we can revive it;
> >   - the state in the packaging repositories is completely
> >     disconnected from the state in the archive:
> >     - some versions were commited in Git (almost a year ago)
> >       but never existed in the archive;
> >     - none of the NMUs that occured have been imported in Git.
> > 
> > 
> > Could you comment on my suggestion to push to Alioth packaging
> > repositories with a sensible Git history, and advertise them (in the
> > package metadata) as the actual packaging repos?
> > 
> > This would make it very easy to grant push access to all members of
> > pkg-auth (and not have to manually maintain a copy of the member list
> > on Github), and to take advantage of the existing tooling: the
> > pkg-auth mailing list already receives ftp-master and BTS
> > notifications, and the pkg-auth team has all relevant packages in its
> > DPPO dashboard.
> > 
> > Moreover, this would be pretty easy to do once (at least) one of us
> > is added to the pkg-auth team; for information, I already have such
> > Git repos for pam-u2f, libu2f-host and libu2f-server.
> > 
> > 
> > Best,
> > 
> >   nicoo
> > 
> > > Unfortunately however, most of the team is unavailable right now
> > > due to summer leave. We'll resume the discussion as soon as
> > > everybody is back, I just didn't want you to feel ignored or to
> > > think that we're not interested in this issue.
> > > 
> > > Bye
> > > A.
> > > 
> > > 
> > > 
> > > > From: "Nicolas Braud-Santoni" <nicolas at braud-santoni.eu>
> > > > Date: Jul 8, 2016 18:39
> > > > Subject: Maintainance of Yubikey-related packages
> > > > To: <pkg-auth-maintainers at lists.alioth.debian.org>
> > > > Cc: <klas at yubico.com>, <alessio at yubico.com>, <dain at yubico.com>
> > > >
> > > > Hi,
> > > >
> > > > It came to my attention that the pkg-auth team is the listed
> > > > maintainer of several Yubikey-related packages which seem not to
> > > > receive attention anymore.
> > > >
> > > > This concerns 14 packages[0], covering:
> > > > - 25 bugs, including 5 RC bugs;
> > > > - 8 packages with new upstream versions.
> > > >
> > > > In the case of the packages I'm most familiar with,
> > > > libu2f-{host,server} and pam-u2f, trivial FTBFS bugs have stayed
> > > > open 2-3 months without acknowledgement until they were solved by
> > > > NMUs.
> > > >
> > > > I would like to join the team and take over maintainership of
> > > > those 3 packages.  Moreover, I suggest we:
> > > > - file RFAs for the other 11 packages;
> > > > - move the packaging repositories to Alioth, so that we can
> > > > actually maintain a state in Git that matches the state of the
> > > > archive; this was a particularly frustrating issue when preparing
> > > > my NMUs.
> > > >
> > > > Unfortunately, I do not even own the hardware required to use the
> > > > remaining 11 packages, so I cannot possibly take over their
> > > > maintenance.
> > > >
> > > >
> > > > Best,
> > > >
> > > >   nicoo
> > > >
> > > >
> > > > [0] libu2f-host, libu2f-server, pam-u2f, libykneomgr,
> > > > python-pyhsm, python-yubico, yubico-pam, yubico-piv-tool,
> > > > yubikey-ksm, yubikey-neo-manager, yubikey-personalization-gui,
> > > >     yubikey-piv-manager, yubikey-val, yubikey-desktop
> > > >
> > > 
> > > 
> > > 
> > > -- 
> > > Alessio Di Mauro
> > > Software Engineer | Yubico <http://www.yubico.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-auth-maintainers/attachments/20160926/191bade4/attachment.sig>

More information about the Pkg-auth-maintainers mailing list