Web lists-archives.com

Re: Policy and procedures issue: init package hijacked via hostile NMU (declined by maintainers)




Hi!

On Sat, 2018-12-22 at 10:11:53 -0800, Josh Triplett wrote:
> Please note in the following mail that I'm raising this *exclusively* as a
> policy and procedures issue, *not* a technical issue.> 

> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838480 . Rough
> summary of events:

I think the summary mischaracterizes the situation a bit TBH.

> - Dmitry Bogatov requested that the init metapackage depend on
>   runit-init (to enable runit as an alternative init system).
> - After a few months of back and forth, runit was updated to include
>   appropriate scripts for compatibility with expected interfaces of
>   init.
> - Dmitry popped up again after two years, in October, and then in
>   November said that he'd upload an NMU to DELAYED soon.
> - Martin Pitt promptly responded with a report that a system installed
>   with runit-init appears broken, and in particular appears to hang
>   without any ability to log in.

Martin also mentioned he "wouldn't veto" the inclusion even if the
functionality was not completely there, although he'd prefer a better
"OOTB experience".

> - Dmitry reported back that it "works for him", and no further debugging
>   appears to have taken place.

Dimitry sent another mail asking for a reproducer in the form of a VM or
similar. And mentioned being worried about missing the freeze deadline.

> - Dmitry uploaded an NMU to DELAYED/15.

Dimitry mentioned on the NMU announcement that (obviously) the
maintainers were free to cancel the NMU themselves.

> - One of the maintainers of the init metapackage requested the cancellation of
>   that NMU, on the basis of Martin's report of brokenness and the lack of any
>   debugging.  The maintainer suggested some possible paths forward (as well as
>   further testing).

Michael requested the cancelation (which he could also have done
himself) 14 days after the initial upload.

> - Dmitry refused to cancel the NMU, which then went into the archive.

Dimitry refused to cancel the NMU *himself*.

> - *After* the upload went through, Dmitry started proposing a mail to
>   the tech-ctte.

> As such, the Essential init package seems to have been hijacked by a
> hostile NMU refused by the maintainer. This NMU and its hijacking of the
> package was not discussed anywhere else (such as -devel or -ctte), was
> not approved by anyone else, and appears to be effectively a unilateral
> action on the package regarding a wishlist bug.

Please do not overload the existing meaning of hijacking in the Debian
context. There was no package hijack here at all. There was though, an
unwanted NMU, which personally I find to be a bad form of social
interaction within Debian.

> I am making the assumption that, in the 11 hours between that refusal
> and the hijacking NMU entering the archive, no entirely unforeshadowed
> behind-the-scenes discussion between the maintainer and Dmitry took
> place in which the differences were settled amicably and the debugging
> of this critical package was completed to everyone's satifaction.

But the maintainers had 15 days to cancel it themselves. Personally I
think not canceling an NMU one has done, which has been subsequently
deemed unwated to be quite rude, but still.

I think you are blowing this a bit out of proportion TBH?

Thanks,
Guillem