Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not

[Alec Leamas <leamas.alec@gmail.com>]

Hi,

Not a DD, still raising my voice. I'm *not* advocating that Fedora's 
processes are "better", just trying to add ideas.

On 26/01/2022 11:43, Adam Borowski wrote:
> On Tue, Jan 25, 2022 at 09:38:01PM +0100, Vincent Bernat wrote:

> > I think we should forego the NEW queue. If people want to check
> > packages, they can do it once they are in unstable with regular bugs.
>
> Without the NEW queue, there would be no point at which packaging receives
> any sort of review.  I'd prefer Debian to deliver at least some level of
> quality.

Perhaps wrong to focus on the queue as such. The focus should be the 
need for a manual review -- this is IMHO the important point.

The current ftpmaster review model is somehow modeled after a 
"supervisor" idea. Fedora uses peer reviews. The advantage is the 
incentive to make reviews:  I can review your package if you review 
mine. One could of course imagine that this would lead to sloppy 
reviews. However, this is not my experience.

It also means a more transparent process.


> Otherwise, we'd fall to the level of NPM.  And there's ample examples what
> that would mean.

Indeed.

> > Current checks are partly done by Lintian and I suppose people could
> > watch new Lintian warnings and detect bad packages quickly.
>
> Lintian is just a dumb machine that can ease human reviews but not replace
> them.


Yes. It's interesting to compare to Fedora's tooling fedora-review which 
has another focus: It outputs list of things to check when reviewing a 
package. Some of those are automatically checked, others are just a 
checkbox which should be manually checked. Lintian is a good tool, but 
not IMHO a review support.


> > This could be done when src is not NEW as a test.
>
> I've managed to trample upon someone else's package just yesterday -- and it
> escaped automated checks because a binary of that name already existed in
> the archive, just not on any arch which I test.

Yes, one of those manual checks...

On 26/01/2022 11:29, Adam Borowski wrote:

> For practical reasons we have to obey the laws, no matter how oppressive
> they are.  But I don't see why we should do more than eg. Fedora which
> has corporate backing with an actual legal team.

Also note that this legal team *not* is used to review all packages. 
Instead, they are a resource which are contacted by packagers when we 
need advice. The typical situation is in a (peer) review where things 
cannot be settled. The legal team also files bugs as required, and 
maintain the packaging manual's copyright part.

Of course, this creates a very different social relation between the 
legal team and the rest.

Just my 5 öre
--alec