[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

It's Huntin' Season



...or, _How to NMU and Get Away With It_. A LaMontiana Jones adventure.


There's been some clamour recently for an explanation of how the release
process is meant to get us from here to a release. The simple answer is
that it's not.

There is absolutely no magic that can be done to make a bunch of buggy
useless software acceptable as a Debian release. To take the absolutely
simplest example, we can't release with a glibc with well known security
related bugs.

The testing scripts, the pool-ized archive software, adding, removing
and rearranging packages, none of it can do anything to help that.

But that's not to say that there's nothing at all that can be done to get
a release out when we currently have a bunch of buggy software. Indeed,
it's quite obvious what needs to be done: we need to fix it.

So, this is a call for help, primarily to existing Debian developers:

                          Please help fix bugs!

There are three ways you can do this, each of which requires various
different levels of skill and involvement in Debian:

	* You can find bugs, and try to understand what causes them, so
	  that people can actually fix them. There are plenty of bugs
	  that've been seen but not investigated enough for anyone to be
	  able to work on fixing them, and they'll never get solved at
	  that rate. Pretty much anyone can do this, but it does require
	  some intelligence and some time.

	* Work out a fix for the bug, test that the fix actually works,
	  and that it doesn't break anything else. This just involves
	  knowing how to program, and having a good diagnosis of the
	  problem, generally. Anyone can send patches to the bug tracking
	  system.

	* Actually upload the fixed package to Debian, and ensure that it
	  really didn't introduce any new bugs when it gets rolled out
	  on the thousands of machines that run unstable. You need to
	  be a Debian developer to be able to do this.

Resolving a bug requires all three of these things; just doing the first
one or two isn't enough, but if you don't bother doing any of them
("There was some problem when I ran vi. Dunno why. Please fix it."),
there's absolutely no chance it'll ever get fixed.

This particular mail is focussed on the last of these. Right now, we're
doing an absolutely abhorrent job of actually getting fixes into
Debian. In our release-critical bug list (which, you'll recall, is
a list of packages that have security issues, like to rm -rf / when
you install them, don't work at all, don't build on our autobuilders,
and similar things) we have dozens of bugs with known fixes that we,
as a group, haven't managed to actually apply and upload.

The reason we've been so poor at this, is that for some reason it's become
taboo for anyone except the package's maintainer to make uploads. There
is no good reason for this, and there are many reasons against it.

As of now this is no longer the case. Non-maintainer uploads of packages
are *okay*. If you're not uploading new versions of your package when
improvements become available in a timely manner, don't act surprised
if someone else does.

This will continue until woody's release when it'll get re-evaluated,
or when chaos and darkness take over the universe by way of general
resolution.

That's not all there is to say about it though. Hit and run package
maintenance doesn't work, and it's very easy to fall into that frame of
mind when you're uploading packages that you don't maintain.

So, if you're going to NMU packages (and this applies to the porters
who've been doing NMUs already too) please be *very* careful of the
following things:

	* A maintainer upload is better than a non-maintainer upload.
	  Merging stuff from an NMU takes time and care. If it's not
	  necessary, why the maintainer to waste time doing that instead
	  of fixing other bugs or adding new features? OTOH, an NMU is
	  better than nothing.

	* If you understand a bug better than the maintainer, or if
	  you can provide a fix and the maintainer can't, then pass on
	  that information to the maintainer. Not everything needs an NMU.

	* Generally (especially for normal or wishlist bugs) there's no
	  reason not to give the maintainer a little time to digest the
	  bug, or its fixed. Refer back to the first point. If the bug
	  hasn't been filed yet, or the patch hasn't been sent to the bug,
	  you almost certainly shouldn't be making an NMU... yet. One way
	  to make this a little easier on you as an NMUer, is to use the
	  incoming/DELAYED directory. Stuff uploaded to
		incoming/DELAYED/5-day/
	  will be moved into incoming in five days, so you can email
	  xxx@bugs.debian.org with a note that says "This bug can be fixed
	  by applying this patch [...]. I've uploaded an NMU with version
	  number X-Y.Z into incoming/DELAYED, so it'll get processed in
	  five days, if you don't get around to it sooner."

	* Once you've made an NMU it is your responsibility to make
	  absolutely sure you didn't break the package (in spite of
	  your copious testing of it), and, if you did, to fix it. Check
	  the package's bug page(s) regularly. Subscribe to the package
	  through the PTS to get copies of its bug reports.

The above are only guidelines as to *when* you might wish to do an NMU. You
still need to follow all the usual steps in making sure your NMU is good:

	* Get it right. Test, test, test, and keep on testing.
	* Set the version number to the approriate -X.Y
	* Don't mess with the way the maintainer likes to maintain his
	  package. An NMU isn't an opportunity to debhelperize someone's
	  package, nor to override the maintainer's decision about which
	  bugs should be fixed, or how they should be fixed.

There are probably others too. Try to make sure your NMU is something
the package maintainer would be proud to have uploaded.

There may be more things than this that you can do to make Debian more
reliable and less buggy. In some cases, there may be no need to worry
about one or another of the above. Mostly: use your head, try not to
get in anyone else's way, and, if you make a mistake, fix it.

There are a lot more things to fix than "the package doesn't build on
one of hppa, ia64 or s390". There should be more people making high
quality NMUs than just LaMont and Gerhard.

Cheers,
aj (woody release manager)

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
GPG signed mail preferred.

The daffodils are coming. Are you?
      linux.conf.au, February 2002, Brisbane, Australia
                                --- http://linux.conf.au/

Attachment: pgpnjSvytLdZW.pgp
Description: PGP signature


Reply to: