Bits from the DPL

To: Debian Developers <debian-devel-announce@lists.debian.org>
Subject: Bits from the DPL
From: Andreas Tille <tille@debian.org>
Date: Mon, 5 Jan 2026 07:58:31 +0100
Message-id: <[🔎] aVthFxsbIoh7anuy@an3as.eu>
Mail-followup-to: debian-devel@lists.debian.org
Dear Debian community,

This is bits from the DPL for December.

For those of you who have enjoyed some free time recently: I hope it was
well spent, and I wish all of you a happy 2026.


Include git commit id and git tree id in *.changes files
========================================================

A long thread on debian-devel[gc01] discussed how to establish a
verifiable audit path between a Git repository and an actual Debian
upload, motivated by improved traceability and supply-chain
transparency. It was noted that uploads performed via tag2upload already
provide such a link today, and that this mechanism is intentionally
well-scoped and semantically defined[gc02].

The discussion also made clear why a generic solution is
difficult[gc03]: differing packaging workflows, ambiguous repository
states, and the risk of encoding misleading metadata all require careful
consideration. At the same time, the thread illustrates that such
traceability is only meaningful where a well-defined version control
history exists. From my perspective, this is an additional argument in
favour of maintaining Debian packaging in Git repositories, as it
enables trustworthy links between source history and uploads once
appropriate tooling and conventions are agreed upon.


[gc01] https://lists.debian.org/debian-devel/2025/12/msg00127.html
[gc02] https://lists.debian.org/debian-devel/2025/12/msg00223.html
[gc03] https://lists.debian.org/debian-devel/2025/12/msg00150.html


Status of some teams
====================

Data Protection Team
--------------------

As you may have read in my recent call for volunteers [dt01], Debian
currently has no active Data Protection Team. All previous delegates
have stepped back, and the delegation has therefore been revoked.

This leaves Debian without a dedicated team to handle data protection
and privacy-related matters, which is not a sustainable situation. I
would very much welcome volunteers who are interested in data protection
and privacy to help re-establish the team.

Several people asked for more detail about what the role involves. A
working knowledge of data protection, in particular the GDPR, is
essential. In practice, the workload has been low: the team handled four
requests in 2025. Additional proactive work, such as improving the
privacy policy or advising teams on data-handling workflows, is welcome
but optional and can be shaped by the interests of the volunteers.

The previous team stepped back mainly due to a lack of capacity and
enthusiasm to take the work further, not because of specific problems.
There are no formal external relationships, no requirement to be in a
specific location, and some handover support is available if needed.

This is a role which requires trust.  An established track record within
the Debian community is therefore important, and it may be difficult for
someone who has only very recently become a Debian Developer to take on
this role immediately.  Since formal delegations can only be made to
Debian Developers, this status is a requirement for the role.

If a group of interested Debian Developers comes together, I am also
open to revisiting and updating the delegation text itself. Adjusting
the scope and definition of the team's tasks to better match current
needs could help set a new team up for success, and this can be
discussed in advance as part of forming a refreshed delegation.

[dt01] https://lists.debian.org/debian-devel-announce/2026/01/msg00001.html


MIA team
--------

Another topic I would like to draw attention to is the MIA team[mt00]. At
DebConf, I joined the MIA team internal meeting [mt01]. The discussion
there was very promising and included a concrete proposal to improve the
handling of inactive accounts, with ideas for increased automation and
clearer workflows. This gave me confidence that we could make meaningful
progress in an area that is important both for project continuity and
for individual contributors.

Unfortunately, since the public announcement about the BoF [mt02], there
has been no further update. Private questions from me about the current
status have also not received a response so far. Given the importance of
this work for Debian, I would like to encourage people who are
interested in this area to consider joining and helping to strengthen
the MIA team's activities. In addition, I am considering whether an
explicit official delegation would help provide clarity and support for
this work.

[mt00] https://wiki.debian.org/Teams/MIA
[mt01] https://debconf25.debconf.org/talks/232-mia-team-internal-meeting/
[mt02] https://lists.debian.org/debian-project/2025/07/msg00006.html


Future DFSG team
----------------

The handover to the future DFSG team is currently in progress, with
technical details still under discussion. As the team has not yet been
formally delegated and therefore does not have access to packages in the
NEW queue, training has been done using packages currently in NEW, with
source code retrieved from Salsa.

In parallel, a dashboard has been developed to help organize the team's
work and to improve transparency of DFSG reviews. This tooling is
expected to be announced soon and should make both the internal workflow
and the team's activities more visible to the wider community.


Radio TuX interview in German
=============================

In August I recorded an interview with RadioTux, which was broadcasted
in December. The conversation covers Debian in general, current
challenges in the project, and my role as Debian Project Leader. The
interview is in German and is available via the RadioTux archive.

https://www.radiotux.de/index.php?/archives/2025/12.html
https://archiv.radiotux.de/sendungen/radiotux/2025-12-06.RadioTux.Magazin.Dezember2025.ogg#t=960


A personal thank you
====================

Looking back at the past year, I would like to personally thank everyone
who contributes to Debian. Many people invest time and energy far beyond
maintaining their own packages: reviewing work, improving
infrastructure, mentoring others, resolving conflicts, and keeping the
long-term health of the project in mind.

This kind of engagement is not always visible, but it is essential for
Debian to function as a sustainable and welcoming project. I am grateful
for the dedication, care, and responsibility that so many of you show,
often quietly and without much recognition.


Kind regards
    Andreas.
Attachment: signature.asc
Description: PGP signature
Reply to:
Prev by Date: MiniDebConf Campinas 2026
Next by Date: Clarification: Call for volunteers: Data Protection Team went out to Debian Developers only
Previous by thread: MiniDebConf Campinas 2026
Next by thread: Clarification: Call for volunteers: Data Protection Team went out to Debian Developers only
Index(es):
- Date
- Thread