Re: We have a problem

To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Cc: Patrick Ouellette <pouelle@debian.org>, Debian Hamradio Maintainers <debian-hams@lists.debian.org>
Subject: Re: We have a problem
From: Patrick Ouellette <pouelle@debian.org>
Date: Wed, 06 May 2015 14:00:23 -0400
Message-id: <[🔎] 20150506180023.GK16858@flying-gecko.net>
In-reply-to: <[🔎] 554A4CFC.3080902@physik.fu-berlin.de>
References: <[🔎] 20150506132851.GA16858@flying-gecko.net> <[🔎] 20150506134227.GA7604@shiftout.net> <[🔎] 20150506142408.GB16858@flying-gecko.net> <[🔎] 554A3A6F.3020409@physik.fu-berlin.de> <[🔎] 20150506164946.GH16858@flying-gecko.net> <[🔎] 554A4CFC.3080902@physik.fu-berlin.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, May 06, 2015 at 07:18:52PM +0200, John Paul Adrian Glaubitz wrote:
> On 05/06/2015 06:49 PM, Patrick Ouellette wrote:
> >> I grepped for your name in the changelogs of soundmodem
> > 
> > 
> > The soundmodem activity predates the user space package.  Sorry for
> > the confusion.  Back when soundmodem was part of the kernel
> > sources, there were tools packaged for userspace management of the
> > soundmodem.  This would be back in 1999-2001 time frame.
> 
> Then I don't see how you can claim to be a maintainer of the userspace
> package, those were different packages then.
>

Fair enough.
 
> >> Where is he saying that? He didn't change the Homepage field in 
> >> debian/control, did he?
> > 
> > 
> > He actually filed bug 781206 against soundmodem claiming:
> > 
> > "soundmodem's upstream maintainer is no longer maintaining the
> > package"
> 
> But he didn't change the package in that regard, so I don't see the
> problem.
> 

No, we (and he) got lucky because Iain decided to file the bug report
before changing the package.  If Thomas hadn't stepped in the package 
would have been changed when Iain updated the package to close the bug.
The level of effort to verify upstream was indeed unmaintained was not great.
Had Iain instead just updated the package without consulting the list
(in this case the bug report consulted the list) things would have turned
out differently.

> >> One of the other hallmarks is also to not trying to bad-mouth
> >> other DMs and DDs and the fact that you CC'ed Sylvestre with your
> >> email when Sylvestre is Iain AM is much worse than making such
> >> mistakes that you accuse Iain of.
> > 
> > 
> > Actually CCing the AM is something that should be done when there
> > is praise for or concern about a prospective maintainer's actions.
> 
> But as you can see, even his AM disagrees with you.
> 

Not entirely an accurate statement.  His AM was wondering why I was
CCin him on the ham radio issue.  I have discussed it in private
email with him.  If he wants to make it public he may.

Having been an AM I can attest that it is much easier to put together 
the report package if you have input from the developer community (good 
and bad) about an applicant.

At the end of the process, the AM is asked to recommend (or not) the
applicant.  This is not something that should be done lightly.

> > The "all" we are talking about were people who were interested in
> > maintaining the ham radio packages and never amounted to more than
> > 8 people.  The ideal was to show who was a member of the hamradio
> > maintainers group if I recall correctly.
> 
> Then why exactly would the control file have Maintainer field which
> includes all hamradio people through the list _and_ an Uploaders field
> with, according to you, the list of all people in the hamradio group.
> 

debian-hams is the ham radio maintainer list open to anyone.  It is the email
address associated with the hamradio maintainers.  The uploaders
list shows the Debian people actually interested in working on the package
(and presumable subscribed to the email list).  Is that a better explanation
for you?

> That doesn't make any sense, does it? If you're on the list, you are
> receiving all mails (bugs reports, FTP mails etc) regarding the
> packages, so I don't really see your point.
>

That is kind of the point - he didn't even bother to send a message to
the list.  I saw the report from the archive when the new package was
uploaded.  There was a not in the change log about updating the uploaders
list.  I had to go to the archive and grab the change log to find out I
was removed from it.
 
> > Not my original ideal - I didn't create the group.  Again, the idea
> > was not to include every developer, but those who were working on
> > the ham tools. FWIW, it has worked ok up until the last year or 2.
> > I don't recall any major problems with ham developers duplicating
> > work or having conflicting changes.
> 
> Yeah, it's still wrong. As I explained before.


Right or wrong it is what we have.

> 
> >>> So you are now judge, jury and executioner with the power to 
> >>> declare Debian Developers retired from the project?  It is such
> >>> a relief to know you have the gift of reading people's hearts
> >>> and minds without consulting them.
> > 
> >> Dude, calm down. He didn't kick you out of Debian. He,
> >> rightfully, removed you from the list of Uploaders because, you
> >> know, you weren't uploading.
> > 
> > 
> > I am calm.  This was not an instance of an unmaintained package.
> > It was a package that had not changed much upstream for the last
> > couple of years until the last week or so.  He did not even have
> > the common decency to ask the hamradio maintainers list.
> 
> Ask regarding what? Regarding the new upstream version?
> 

Ask (or even notify) the people he was removing from the package uploaders 
list.

> > He was also fully aware I was devoting more time for Debian. He
> > willfully chose to not ask or even drop a note to the list that he
> > wanted to/was removing uploaders.
> > 
> > It is not the first time he has taken unilateral action concerning
> > ham radio packages, and other people have expressed concerns to me
> > in private about this.
> 
> Then these people should post to the debian-hams mailing list because,
> as you can see, everyone else so far on this list disagrees with you.
> 

Only the people who have currently seen the discussion and decided it
was worth their time have posted to the list.

> You are free to forward these particular messages to me in private.
>

Not without the permission of the authors.  If they grant it I will.
 
> >>> I am more than a little concerned that you haven't completed
> >>> the NM process and are able to upload packages....
> > 
> >> What the hell is this supposed to mean? Are you actually reading
> >> what you are saying here? You are philosophizing on how we should
> >> treat each other in Debian but then you are writing sentences
> >> like these.
> > 
> > 
> > That means we have someone, I am sure with good intentions, who has
> > not completed the Debian process for becoming a maintainer or
> > developer.  He has been given root access to every machine that
> > runs Debian.
> 
> Uhm, he has only permissions to upload the packages that he has been
> given permission to. Claiming that he would get root access running
> Debian if he gets dm-allow for soundmodem is a bit stretched, don't
> you think?
> 

No.  The package scripts run with root permissions.  There is nothing
stopping a malicious script from being uploaded as part of a package.
Debian provides little in the way of safeguards against this other than
the developer community. 

That such an event has never happened does not mean it will never happen.

> > His demonstrated penchant to run ahead with changes to existing
> > packages without consulting the maintainer group makes me a little
> > nervous that he just might change something over zealously, without
> > considering all the circumstances, that may cause unintentional
> > difficulties for the users of the affected packages.
> 
> You're being paranoid, I'm sorry. He did absolutely nothing that would
> any reasonable person come to this conclusion.
> 

Some would say I am being careful to identify potential risks.  Identifying 
risks, deciding the probability of the risk being exploited or causing harm, 
and then developing appropriate responses is part of being a responsible 
system administrator.  So yes, I'm paranoid.

Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJVSla3AAoJEBmyZ4AhAzKfd9QP/jnyJr+SMOBR2WpTqdJ08ACi
goy7ez0RX5J6dalpsAnNnN75op7mMTfaCUq5ZTmwMRKqxxqAHeXPYqLkmVOTHS1N
jn0sm8bnJuZXJgUBGIl9epGizLOuCCIrzSkGwr8eEwBy+Rf/w3t24WyAiFSD0d9D
1owuc7Zx002e0oNS72zq5l2WA9Eh2sNkCKtsK0nqAAPxhCfugbTUxuG2xRAcVcfa
iqqTxMTFzg13XxDrCTW94YXJzKHE+HcJqRxSxEOVd2sZL3j+PN2MnotwykIWySC7
comluGPLWbsqOjnyr+QpjMhr3oGsv6DO9cDaYPt0sqTU630Vn9w9pl/Ti4TKiJxt
3w7cLlHqe02jVqtypCcSSgQNiFUUiAWUtthylAd6EyCwDNWJSpURsgZsjnr62d3o
1vYr8xkjulom/bZKFomXSuyZ1EYJP1XCwwWyQPO53XtC7mm9bPM7ttlQH9H1J1y9
2laqwb38HbJWRsGZUwgfkj58wRbPv0ur+ZAYzO4OQp40GwrQ30bHh3PkilSMoOYG
EgdqNE3nhNt7t5OwJ3Gwz+iDRKcjpuy9tgWpDn73LN0YGmwmSXVCxtg2EW1/3AEi
FIFTXh2yAuXNqOFF4d6GF43URK6sIDVh8jwQxkTtK1+ZMTZWAspVHLurMqYONE0W
N8p8zvRg79BZj7Wn87+7
=Q8d8
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: We have a problem
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

References:
- We have a problem
  - From: Patrick Ouellette <pouelle@debian.org>
- Re: We have a problem
  - From: "Iain R. Learmonth" <irl@fsfe.org>
- Re: We have a problem
  - From: Patrick Ouellette <pouelle@debian.org>
- Re: We have a problem
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: We have a problem
  - From: Patrick Ouellette <pouelle@debian.org>
- Re: We have a problem
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

Prev by Date: Re: We have a problem
Next by Date: Re: We have a problem
Previous by thread: Re: We have a problem
Next by thread: Re: We have a problem
Index(es):
- Date
- Thread