Dear Debian: May was mi first full month of DPL. It was busy, but I think I've found a rhythms that allows me to balance my DPL responsibilities against my job and the rest of my life. I'd like to thank Chris Lamb for pointing out the importance of paying attention to that balance early. I think I'll be a happier DPL for that advice. While no date has been announced yet, excitement is certainly building for the Buster release. According to recent mail on debian-release, the large issue standing in the way of picking a release date is how to handle security for Go packages. Go packages are typically statically linked, so when a a Go library receives a security update, all dependent packages need to be rebuilt. This requires tracking what needs to be rebuilt. There are also some infrastructure challenges around performing the necessary NMUs. It looks like progress is being made. So I think excitement is certainly in order. How do you plan to celebrate the Buster release? Electrum ======== I was reading Reddit [1] and came across a thread discussing how the electrum package in sid led to a situation where an attacker gained your bitcoin credentials and all your money. “That’s kind of broken even for unstable, someone should fix that,” I thought. Then I realized that I was the project leader and this was my problem. No, perhaps not the bug itself, but when our processes fail it’s the DPL’s job to go track down what’s going on. The bug [2] was reported, and even marked release-critical. It was severity serious not critical, and not tagged security. The maintainer was having trouble dealing with some of the new dependencies of the upstream version that fixed the bug. It was going to be a while before we got a fix into Debian, but the current situation was an active danger to our users. It is not often that you get to NMU a package with no delay introducing a crash (and explanatory error) at startup without getting any complaints. Removing the package would have left the code that was actively being exploited on people’s computers. For me it was a real awakening to being DPL and what that sometimes means. [1]: https://www.reddit.com/r/debian/comments/bj3ild/just_a_warning_about_the_electrum_bitcoin_wallet/ [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921688 Dh as a Preferred Packaging Style ================================= As promised, I started a discussion [3] on whether we wanted to prefer (and in some cases require) the dh sequencer from Debhelper as a package building tool. We had a great discussion. I published my understanding of our project consensus. We are seeking final comments until June 16. At this point, to contribute meaningfully, you probably do need to read a significant portion of the existing discussion along with the consensus call. After June 16 I’ll send a revised consensus summary to debian-devel-announce. Once we have captured the consensus, I will talk to people like the policy team to move forward. While the main discussion was going on, I had some smaller discussions. I was initially planning to ask the TC to come up with an initial draft of policy changes based on the debian-devel discussion. I thought that a smaller group like the TC might give us some initial input for the broader debian-policy process to refine. I got some negative input on that approach that I think is worth digging into in more detail independent of the dh discussion. However that also sparked a great discussion with the policy editors about how they might approach something like dh in their process. Based on that discussion, I think they have the energy and skill to move forward and I look forward to seeing how that part of the process runs. [3]: https://lists.debian.org/msgid-search/tsla7fqjzyv.fsf@suchdamage.org Git on Salsa ============ The next discussion I will drive is a discussion of whether we want to strongly recommend Debian packaging be done using Git on salsa.debian.org. I do not expect us to be able to come to as clear of a consensus as I think we have done on the dh discussion. There are a lot more factors to consider and a lot less uniformity in the project. I plan to run the discussion in a similar manner though. I’ll start out with a message that frames things and asks some key questions. During the discussion I will summarize where we seem to be going and flag areas where more input would help judge consensus. Ian Jackson [4] started a survey of Git packaging practices. He is working to collect all the different approaches we have for using Git as part of writing a FAQ about dgit. I think that his survey will help us in the Salsa discussion too. If you use Git in your packaging, please take a look at his work and make sure the work flow you use is represented. There was another discussion that will be great background for thinking about Git [5]. The discussion started when Gard Spreemann asked about preferred branch structures. However we had a great discussion of some of the tradeoffs involved in Git workflows, dgit and related tools. I know I learned a lot. [4]: https://lists.debian.org/msgid-search/23789.22766.778482.983490@chiark.greenend.org.uk [5]: https://lists.debian.org/msgid-search/878svtcgp3.fsf@moose Antiharassment Account Manager and DPL Meeting ============================================== The account managers, antiharassment team and DPL have been trying to meet for a number of months. We finally picked a date and will be meeting in late June to discuss how we can all work together to keep Debian a safe and welcoming community. Financial Activity ================== * Approved budget for Debian Perl Sprint [6] * Approved budget for Debian Edu sprint [7] * Approved budget for Mini DebConf 2019 Hamburg [8] * Talked to Debconf about their budget; a budget amendment came in at the end of the month but has not been reviewed yet * Approved DSA expenses for support for our storage array I also worked with the treasury team to develop some criteria that I use to evaluate requests to fund attending conferences. If you are logged into salsa, you can read the repository [9]. [6]: https://wiki.debian.org/Sprints/2019/DebianPerlSprint [7]: https://wiki.debian.org/Sprints/2019/DebianEdu [8]: https://wiki.debian.org/DebianEvents/de/2019/MiniDebConfHamburg [9]: https://salsa.debian.org/treasurer-team/documentation In Case You Missed It ===================== * Mo Zhou proposed a policy on deep learning [10]. There are some significant questions that come up when we talk about whether a machine learning model is free software. This policy attempts to explore these questions. I hope ftpmaster will think about these issues when evaluating machine learning models in Debian. * Mini DebConf Hamburg June 5-9 [8] * Mini-DebConf Vaumarcus October 25-27[11] As a reminder, Debian can reimburse up to $100 US (or equivalent) for developers attending a bug squashing party (BSP). * Debian welcomes our GSOC and Outreachy interns [12] [10]: https://salsa.debian.org/lumin/deeplearning-policy [11]: https://wiki.debian.org/DebianEvents/ch/2019/Vaumarcus [12]: https://bits.debian.org/2019/05/welcome-gsoc2019-and-outreachy-interns.html Feedback Requested ================== As always, your feedback is welcome on thes points or any aspect of the DPL's work. Similarly, if you would like to ask the DPL for help, you can write to leader@debian.org.
Attachment:
signature.asc
Description: PGP signature