Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.python > #15559 > unrolled thread

Maintenance of python-cryptography

Back to article view | Back to linux.debian.maint.python

Contents

  Maintenance of python-cryptography Scott Kitterman <debian@kitterman.com> - 2024-03-13 18:40 +0100
    Re: Maintenance of python-cryptography Scott Kitterman <debian@kitterman.com> - 2024-03-14 04:50 +0100
      Re: Maintenance of python-cryptography Andreas Tille <andreas@an3as.eu> - 2024-03-14 09:00 +0100
    Re: Maintenance of python-cryptography Scott Kitterman <debian@kitterman.com> - 2024-03-15 14:00 +0100
      Re: Maintenance of python-cryptography Scott Kitterman <sklist@kitterman.com> - 2024-03-15 17:10 +0100
    Re: Maintenance of python-cryptography Emmanuel Arias <eamanu@yaerobi.com> - 2024-03-15 17:30 +0100

#15559 — Maintenance of python-cryptography

[Multipart message — attachments visible in raw view] — view raw

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979

Would some of you who are pushing so hard to change the policy for Uploaders/
Maintainer in the team please step up and take over this package.  It really 
needs updated to the new upstream release (blocking both aioquic and 
dnspythong for me, I don't know about others).

I haven't done a comprehensive check, but I think morph asked for all the leaf 
packages he was maintaining in the team to be removed from the archive and is 
removing himself from uploaders/maintainer on others.

You all made this mess.  Please clean it up.

Scott K

[toc] | [next] | [standalone]

#15560

[Multipart message — attachments visible in raw view] — view raw

On Wednesday, March 13, 2024 1:34:14 PM EDT Scott Kitterman wrote:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979
> 
> Would some of you who are pushing so hard to change the policy for
> Uploaders/ Maintainer in the team please step up and take over this
> package.  It really needs updated to the new upstream release (blocking
> both aioquic and dnspythong for me, I don't know about others).
> 
> I haven't done a comprehensive check, but I think morph asked for all the
> leaf packages he was maintaining in the team to be removed from the archive
> and is removing himself from uploaders/maintainer on others.
> 
> You all made this mess.  Please clean it up.

Actually, it looks like python-cryptography still has one uploader, but morph 
was doing work on the package, it's complicated, and could use more help, not 
less.  Pyopenssl, on the other hand, is now unmaintained (no human uploader).

Scott K

[toc] | [prev] | [next] | [standalone]

#15562

Hi Scott,

Am Wed, Mar 13, 2024 at 11:39:50PM -0400 schrieb Scott Kitterman:
> On Wednesday, March 13, 2024 1:34:14 PM EDT Scott Kitterman wrote:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979
> > 
> > Would some of you who are pushing so hard to change the policy for
> > Uploaders/ Maintainer in the team please step up and take over this
> > package.  It really needs updated to the new upstream release (blocking
> > both aioquic and dnspythong for me, I don't know about others).

Reading the bug log of your request to upgrade this package has a hint
from Tue, 13 Feb 2024 [1] that some rust dependencies need updates
(thanks for the work on this Jérémy!  BTW, I merged you 41.0.7-5 changes
into master branch and closed bug #1046569 manualy)

The discussion about Policy change started two weeks later[2].  I might
miss the point in the connection you are drawing here.

> > I haven't done a comprehensive check, but I think morph asked for all the
> > leaf packages he was maintaining in the team to be removed from the archive
> > and is removing himself from uploaders/maintainer on others.

Your request to speak up[3] was not heard.  I would have prefered to
read constructive arguments instead of silent leaving the team (in the
sense of not informing the team mailing list about the leave).

> > You all made this mess.  Please clean it up.

I think the good intentions[4] in your sentences here are that you
really care about this important package and you fear that it is left
alone.  So thanks for the pointer.

What I did before your mail was sent:

python-cryptography (42.0.5-1) UNRELEASED; urgency=medium

  * Team upload.
  * New upstream version
    Closes: #1059308 (CVE-2023-50782)
    Closes: #1064778 (CVE-2024-26130)
    Closes: #1063771, #1018159
  * Reorder sequence of d/control fields by cme (routine-update)
  * watch file standard 4 (routine-update)
  * Enable building twice in a row
    Closes: #1046569

 -- Andreas Tille <tille@debian.org>  Thu, 29 Feb 2024 10:20:49 +0100

Meanwhile I marked bugs #1059308 and #1064778 pending (they could be
even closed but its good to have some record inside changelog if CVEs
are involved[5])  I also closed bug #1018159 which remained open for
no good reason and closed #1046569 manually since it was not mentioned
in changelog of latest upload.

Jérémy did:

python-cryptography (41.0.7-5) unstable; urgency=medium

  * AMAU, Closes: #1064979

  [ Andreas Tille ]
  * Enable building twice in a row

 -- Jérémy Lal <kapouer@melix.org>  Thu, 07 Mar 2024 13:42:35 +0100

> Actually, it looks like python-cryptography still has one uploader, but morph 
> was doing work on the package, it's complicated,

Since Tristan Seligmann went MIA the package was uploaded by:

 -- Jérémy Lal <kapouer@melix.org>  Thu, 07 Mar 2024 13:42:35 +0100
 -- Sandro Tosi <morph@debian.org>  Wed, 28 Feb 2024 12:23:58 -0500
 -- Jérémy Lal <kapouer@melix.org>  Thu, 08 Feb 2024 15:34:30 +0100
 -- Jérémy Lal <kapouer@melix.org>  Tue, 09 Jan 2024 01:14:48 +0100
 -- Jérémy Lal <kapouer@melix.org>  Sun, 07 Jan 2024 13:24:39 +0100
 -- Nicolas Dandrimont <olasd@debian.org>  Tue, 08 Aug 2023 17:16:11 +0200
 -- Sandro Tosi <morph@debian.org>  Tue, 28 Feb 2023 00:36:13 -0500
 -- Stefano Rivera <stefanor@debian.org>  Sun, 08 Jan 2023 16:31:04 -0400
 -- Sandro Tosi <morph@debian.org>  Thu, 15 Dec 2022 12:00:09 -0500
 -- Debian Janitor <janitor@jelmer.uk>  Thu, 19 May 2022 05:05:36 -0000
 -- Stefano Rivera <stefanor@debian.org>  Wed, 18 May 2022 12:22:15 -0400

Comment: Debian Janitor did not really uploaded the package.  The
Uploader of the subsequent upload probably accidentaly forgot to merge
the changelog entries.  The Upload
   Sandro Tosi <morph@debian.org>  Wed, 28 Feb 2024 12:23:58 -0500
is simply orphaning the package.  BTW, "orphaning" is defined by setting
Debian QA team as maintainer.  The package is not really orphaned but has
DPT as maintainer.  I understand your worries about this package but
looking at these entries I do not see in how far the current status
looks that bad.

> and could use more help, not 
> less.  Pyopenssl, on the other hand, is now unmaintained (no human uploader).

Pyopenssl is lagging slightly behind upstream.  Someone could care for
#1047548 but I personally ignore such bugs until other work on the
package needs to be done.  I'm optimistic that someone will step up
as Uploader.

Kind regards
    Andreas.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063771#10
[2] https://lists.debian.org/debian-python/2024/02/msg00052.html
[3] https://lists.debian.org/debian-python/2024/02/msg00060.html
[4] https://salsa.debian.org/python-team/tools/python-modules/-/merge_requests/21
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059308#25

-- 
http://fam-tille.de

[toc] | [prev] | [next] | [standalone]

#15584

On March 15, 2024 7:19:16 AM UTC, Thomas Goirand <zigo@debian.org> wrote:
>On 3/13/24 18:34, Scott Kitterman wrote:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979
>> 
>> Would some of you who are pushing so hard to change the policy for Uploaders/
>> Maintainer in the team please step up and take over this package.  It really
>> needs updated to the new upstream release (blocking both aioquic and
>> dnspythong for me, I don't know about others).
>> 
>> I haven't done a comprehensive check, but I think morph asked for all the leaf
>> packages he was maintaining in the team to be removed from the archive and is
>> removing himself from uploaders/maintainer on others.
>> 
>> You all made this mess.  Please clean it up.
>
>Absolutely not. Sandro did. There's btw absolutely no reason to declare a package as "orphan" if it is supposed to be team maintained. It's also a very bad behavior to do this silently, without telling the team about it, or taking part of the thread. I very much regret things are happening this way, but I don't think the rest of the team should be held responsible.
>
>If you have the list of the packages matching what you are saying, please do share.
>
>On 3/14/24 08:52, Andreas Tille wrote:
>> I would have prefered to
>> read constructive arguments instead of silent leaving the team (in the
>> sense of not informing the team mailing list about the leave).
>
>Me too. But I'm not surprised.

I didn't have a list, I'm glad someone went through and made one.

Yes, he might have handled his departure from the team differently, but I found the entire discussion about changing the team policy on setting the maintainer very off putting.  I haven't talked to him about it beyond making sure he was aware of the discussion, so I don't know why he handled it the way he did, but I can easily imagine he was quite frustrated.

Frankly, I think statements like the above aren't particularly consistent with the project CoC and have me thinking again about if this is the kind of team I care to be involved with.

While the way he left the team is on him, the fact that it even came up is 100% on the people pushing this change.  I don't think there's any evidence that some other reason is the cause.

Also, for packages which are team maintained, but only have one uploader, orphaning is exactly the correct thing to do when that person gives up the package.  A human uploader is required.  Similarly, it's the maintainer's call if a package should be removed or if it can remain maintained by QA.  While I agree more communication would have better, those are entirely appropriate actions for a team maintained package with a single uploader.

Scott K

[toc] | [prev] | [next] | [standalone]

#15589

On March 15, 2024 3:47:25 PM UTC, Thomas Goirand <zigo@debian.org> wrote:
>On 3/15/24 13:52, Scott Kitterman wrote:
>> 
>> 
>> On March 15, 2024 7:19:16 AM UTC, Thomas Goirand <zigo@debian.org> wrote:
>>> On 3/14/24 08:52, Andreas Tille wrote:
>>>> I would have prefered to
>>>> read constructive arguments instead of silent leaving the team (in the
>>>> sense of not informing the team mailing list about the leave).
>>> 
>>> Me too. But I'm not surprised.
>> 
>> I didn't have a list, I'm glad someone went through and made one.
>> 
>> Yes, he might have handled his departure from the team differently, but I found the entire discussion about changing the team policy on setting the maintainer very off putting.  I haven't talked to him about it beyond making sure he was aware of the discussion, so I don't know why he handled it the way he did, but I can easily imagine he was quite frustrated.
>> 
>> Frankly, I think statements like the above aren't particularly consistent with the project CoC and have me thinking again about if this is the kind of team I care to be involved with.
>
>Which part? The one where I am saying that I'm not surprised? That in no way should be taken badly, or as an attack on him. Let me explain then.
>
>I too, would prefer if Sandro didn't leave, even if I had difficult moments when communicating with him. I stated it already, I did appreciate his contribution to the team, and to the project at large.
>
>Though it's a fact that I was not surprised, because you mentioned it. We knew in advance it could happen. Looking backward, it seems it was inevitable, unfortunately.
>
>I'd be very sad to see you go as well, please stay.
>
>> While the way he left the team is on him, the fact that it even came up is 100% on the people pushing this change.
>
>I do not agree. It came up because what it was generating (frustration, flames about "rogue uploads", you name it...) had to be addressed.
>

My level of frustration is not declining.

I suggest to you that the source of the emails about rogue uploads were the rogue uploads.  I think that not following the rules and then complaining that people called you on not following the rules has an obvious source.

This was an avoidable own goal on the team's part because, in my judgement, there was too little openness to diversity of opinions on how to do things.

Scott K

[toc] | [prev] | [next] | [standalone]

#15590

[Multipart message — attachments visible in raw view] — view raw

Hi!




On Fri, Mar 15, 2024 at 4:19 AM Thomas Goirand <zigo@debian.org> wrote:

> On 3/13/24 18:34, Scott Kitterman wrote:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979
> >
> > Would some of you who are pushing so hard to change the policy for
> Uploaders/
> > Maintainer in the team please step up and take over this package.  It
> really
> > needs updated to the new upstream release (blocking both aioquic and
> > dnspythong for me, I don't know about others).
> >
> > I haven't done a comprehensive check, but I think morph asked for all
> the leaf
> > packages he was maintaining in the team to be removed from the archive
> and is
> > removing himself from uploaders/maintainer on others.
> >
> > You all made this mess.  Please clean it up.
>
> Absolutely not. Sandro did. There's btw absolutely no reason to declare
> a package as "orphan" if it is supposed to be team maintained. It's also
> a very bad behavior to do this silently, without telling the team about
> it, or taking part of the thread. I very much regret things are
> happening this way, but I don't think the rest of the team should be
> held responsible.
>
> If you have the list of the packages matching what you are saying,
> please do share.
>

I think you are looking for this
https://lists.debian.org/debian-python/2024/03/msg00045.html

>
> On 3/14/24 08:52, Andreas Tille wrote:
>  > I would have prefered to
>  > read constructive arguments instead of silent leaving the team (in the
>  > sense of not informing the team mailing list about the leave).
>
> Me too. But I'm not surprised.
>
>
> Cheers,
>
> Thomas Goirand (zigo)
>
>

[toc] | [prev] | [standalone]

Back to top | Article view | linux.debian.maint.python

csiph-web