Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.python > #15562

Re: Maintenance of python-cryptography

From Andreas Tille <andreas@an3as.eu>
Newsgroups linux.debian.maint.python
Subject Re: Maintenance of python-cryptography
Date 2024-03-14 09:00 +0100
Message-ID <IhOal-gBob-5@gated-at.bofh.it> (permalink)
References <IhAK6-gpJk-17@gated-at.bofh.it> <IhKgp-gykb-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Hi Scott,

Am Wed, Mar 13, 2024 at 11:39:50PM -0400 schrieb Scott Kitterman:
> On Wednesday, March 13, 2024 1:34:14 PM EDT Scott Kitterman wrote:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979
> > 
> > Would some of you who are pushing so hard to change the policy for
> > Uploaders/ Maintainer in the team please step up and take over this
> > package.  It really needs updated to the new upstream release (blocking
> > both aioquic and dnspythong for me, I don't know about others).

Reading the bug log of your request to upgrade this package has a hint
from Tue, 13 Feb 2024 [1] that some rust dependencies need updates
(thanks for the work on this Jérémy!  BTW, I merged you 41.0.7-5 changes
into master branch and closed bug #1046569 manualy)

The discussion about Policy change started two weeks later[2].  I might
miss the point in the connection you are drawing here.

> > I haven't done a comprehensive check, but I think morph asked for all the
> > leaf packages he was maintaining in the team to be removed from the archive
> > and is removing himself from uploaders/maintainer on others.

Your request to speak up[3] was not heard.  I would have prefered to
read constructive arguments instead of silent leaving the team (in the
sense of not informing the team mailing list about the leave).

> > You all made this mess.  Please clean it up.

I think the good intentions[4] in your sentences here are that you
really care about this important package and you fear that it is left
alone.  So thanks for the pointer.

What I did before your mail was sent:

python-cryptography (42.0.5-1) UNRELEASED; urgency=medium

  * Team upload.
  * New upstream version
    Closes: #1059308 (CVE-2023-50782)
    Closes: #1064778 (CVE-2024-26130)
    Closes: #1063771, #1018159
  * Reorder sequence of d/control fields by cme (routine-update)
  * watch file standard 4 (routine-update)
  * Enable building twice in a row
    Closes: #1046569

 -- Andreas Tille <tille@debian.org>  Thu, 29 Feb 2024 10:20:49 +0100

Meanwhile I marked bugs #1059308 and #1064778 pending (they could be
even closed but its good to have some record inside changelog if CVEs
are involved[5])  I also closed bug #1018159 which remained open for
no good reason and closed #1046569 manually since it was not mentioned
in changelog of latest upload.

Jérémy did:

python-cryptography (41.0.7-5) unstable; urgency=medium

  * AMAU, Closes: #1064979

  [ Andreas Tille ]
  * Enable building twice in a row

 -- Jérémy Lal <kapouer@melix.org>  Thu, 07 Mar 2024 13:42:35 +0100

> Actually, it looks like python-cryptography still has one uploader, but morph 
> was doing work on the package, it's complicated,

Since Tristan Seligmann went MIA the package was uploaded by:

 -- Jérémy Lal <kapouer@melix.org>  Thu, 07 Mar 2024 13:42:35 +0100
 -- Sandro Tosi <morph@debian.org>  Wed, 28 Feb 2024 12:23:58 -0500
 -- Jérémy Lal <kapouer@melix.org>  Thu, 08 Feb 2024 15:34:30 +0100
 -- Jérémy Lal <kapouer@melix.org>  Tue, 09 Jan 2024 01:14:48 +0100
 -- Jérémy Lal <kapouer@melix.org>  Sun, 07 Jan 2024 13:24:39 +0100
 -- Nicolas Dandrimont <olasd@debian.org>  Tue, 08 Aug 2023 17:16:11 +0200
 -- Sandro Tosi <morph@debian.org>  Tue, 28 Feb 2023 00:36:13 -0500
 -- Stefano Rivera <stefanor@debian.org>  Sun, 08 Jan 2023 16:31:04 -0400
 -- Sandro Tosi <morph@debian.org>  Thu, 15 Dec 2022 12:00:09 -0500
 -- Debian Janitor <janitor@jelmer.uk>  Thu, 19 May 2022 05:05:36 -0000
 -- Stefano Rivera <stefanor@debian.org>  Wed, 18 May 2022 12:22:15 -0400

Comment: Debian Janitor did not really uploaded the package.  The
Uploader of the subsequent upload probably accidentaly forgot to merge
the changelog entries.  The Upload
   Sandro Tosi <morph@debian.org>  Wed, 28 Feb 2024 12:23:58 -0500
is simply orphaning the package.  BTW, "orphaning" is defined by setting
Debian QA team as maintainer.  The package is not really orphaned but has
DPT as maintainer.  I understand your worries about this package but
looking at these entries I do not see in how far the current status
looks that bad.

> and could use more help, not 
> less.  Pyopenssl, on the other hand, is now unmaintained (no human uploader).

Pyopenssl is lagging slightly behind upstream.  Someone could care for
#1047548 but I personally ignore such bugs until other work on the
package needs to be done.  I'm optimistic that someone will step up
as Uploader.

Kind regards
    Andreas.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063771#10
[2] https://lists.debian.org/debian-python/2024/02/msg00052.html
[3] https://lists.debian.org/debian-python/2024/02/msg00060.html
[4] https://salsa.debian.org/python-team/tools/python-modules/-/merge_requests/21
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059308#25

-- 
http://fam-tille.de

Back to linux.debian.maint.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Maintenance of python-cryptography Scott Kitterman <debian@kitterman.com> - 2024-03-13 18:40 +0100
  Re: Maintenance of python-cryptography Scott Kitterman <debian@kitterman.com> - 2024-03-14 04:50 +0100
    Re: Maintenance of python-cryptography Andreas Tille <andreas@an3as.eu> - 2024-03-14 09:00 +0100
  Re: Maintenance of python-cryptography Scott Kitterman <debian@kitterman.com> - 2024-03-15 14:00 +0100
    Re: Maintenance of python-cryptography Scott Kitterman <sklist@kitterman.com> - 2024-03-15 17:10 +0100
  Re: Maintenance of python-cryptography Emmanuel Arias <eamanu@yaerobi.com> - 2024-03-15 17:30 +0100

csiph-web