[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

unauthorized upload of xfree86 4.3.0-1 to unstable

[Sorry for crossposting; this mail touches on subjects of concern to a
few lists, and I have included my suggestions for followup to individual
lists in this message.]

FYI, for those who didn't know already, an upload identifying itself as
xfree86 4.3.0-1, not authorized by me, was made by Daniel Stone to
Debian unstable early Tuesday morning UTC.  It was UNACCEPTed by katie
at the direction of the Debian archive administrators[1], which spared
me the trouble of uploading an epoched xfree86 to unstable (1:4.2.1-16).

This upload was done without advance notice to, or consultation with the
rest of the X Strike Force (XSF) team, and in conflict with the release
plan[2] set down in the XSF Subversion repository.

xfree86 4.2.1-16 is currently in preparation for upload to unstable; a
preview of its contents[3] can be seen in the XSF Subversion repository.

I have suspended Daniel Stone's access to the XSF Subversion repository
because I am not willing to work in an environment where this sort of
surprise is sprung on me and the rest of the team.  It's worth noting,
however, that this doesn't actually prevent him (or anyone else with a
key in the keyring) from doing another upload of this nature.

Furthermore, an upload which resembles both a hijack and an NMU[4], but
isn't quite either one, and abides by no countenanced procedure (that I
know of) in the Debian Policy Manual or Debian Developer's Reference
strikes me as improper, and as a violation of the loose code of conduct
that we agree to abide by when we become developers.

I would welcome follow-up to the debian-project list as to how we can
clarify this sort of procedural ambiguity, whether Daniel Stone or I
have transgressed the letter or spirit of any standard of conduct,
whether his upload may have been justified even if it did violate some
sort of code of conduct (perhaps because we have been waiting too long
for a 4.3.0 upload to unstable), whether any sort of sanction should
take place as a result of these actions, and what standards of procedure
and courtesy we should have in team-maintained packages.

I will note that Daniel Stone and I have already had a phone
conversation about this -- after he did his upload and I expressed my
alarm on IRC.  The conversation was fairly long and perfectly civil, but
neither of us changed our minds about the fundamental actions taken.  At
least as of 36 hours ago or so, he continued to feel he did the right
thing, and I continue to feel he did not.  I will not attempt to
represent his point of view, or mine, as to the nitty-gritty specifics
of why he felt he was in the right in this particular case, and why I
feel he was wrong.  Discussion of that should take place on debian-x.

The primary purpose of this mail is to prompt a discussion of what we as
a Project should do in the general case of surprise uploads of this
nature which are, again, neither hijacks nor NMUs, but have some
features of both.

Organizationally, we have more experience with single-maintainer
packages, and I think we have to evolve a bit with respect to team
maintenance a bit more.  Fundamentally, I think team-maintenance of
packages has to be grounded on mutual trust among the members of the
team.  I personally feel that my trust was betrayed in this situation.
If you think I should not feel this way, please explain why.

Please send followup about matters specific to the X Strike Force, or
XFree86, to the debian-x list.

Please send followup about other technical matters to debian-devel.
(I sent this mail to -devel because that's where followups to mail on
debian-devel-changes are directed, and I wrote this mail in reply to the
"Accepted xfree86 4.3.0-1" message that was sent there.)

Please send other followup to debian-project or privately.

I welcome your feedback.  If you don't know what the status of XFree86
4.3.0's progress to unstable is, please check out the XSF news page[5]
before following up.

Thank you.

[1] I asked Martin Michlmayr if this would be possible on IRC shortly
after I learned of the upload, and was told it probably wasn't.  I made
no further requests, as I had come up with an alternative (if gross)
method of superseding it, that being the epoched upload.  Subsequently,
the 4.3.0-1 upload was UNACCEPTed anyway, and I aborted my preparation
of an epoched 4.2.1-16.  I am not sure who specifically requested or
approved the UNACCEPT, though I am thankful that it was done.  Epochs
are pretty disruptive.

[2] http://necrotic.deadbeast.net/cgi-bin/viewcvs.cgi/branches/4.3.0/sid/debian/TODO
[3] http://necrotic.deadbeast.net/cgi-bin/viewcvs.cgi/trunk/

[4] It wasn't numbered like an NMU, it didn't say it was an NMU, and it
    didn't follow the NMU procedure.  (It wouldn't have satisfied the
    0-day NMU procedure -- if that were in effect at present, which it
    isn't.)  It resembled a package hijack most closely, but it made no
    mention of a new package maintainer in the changelog.  It is worth
    noting that the only person listed in the Uploaders: field of the
    source package is me.  To my recollection, neither Daniel Stone nor
    anyone else has ever asked to be made an uploader of this package.
    Nevertheless, it is my intention to share this status with others
    after 4.3.0-1 is in unstable.

[5] http://necrotic.deadbeast.net/xsf/XFree86/NEWS.xhtml
    You can also reach this page from my Debian homepage, of course,
    linked in my .signature below.

G. Branden Robinson                |      When dogma enters the brain, all
Debian GNU/Linux                   |      intellectual activity ceases.
branden@debian.org                 |      -- Robert Anton Wilson
http://people.debian.org/~branden/ |

Attachment: signature.asc
Description: Digital signature

Reply to: