[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bits from the DPL: DSA and buildds and DAM, oh my!

Hey all,

I've been delaying this mail for a while now, because I haven't been able
to work out a way of writing it that doesn't strike me as not treating
some of the concerns I've heard seriously enough. I still haven't come
up with a way of avoiding that unfortunately, but it seems better to
get something happening, even if it isn't really good enough.

I'm trying to be descriptive here rather than prescriptive or proscriptive
-- we've got a DPL campaign coming up where there'll be plenty of time
to talk about various ways of improving things, so to me the most useful
thing to do now seems to be providing a good understanding of how things
are at the moment, and have an informed discussion over the next few
weeks, rather than a repeat of all the arguments we've already had.

So the first thing I'd like to note is that despite all the criticisms
there are of things like new-maintainer, buildd administration,
ftpmaster, system administration, and whatever else, objectively all
of those areas are very impressive: compared to other distributions,
we still have a huge number of contributors, we still support a huge
number of architectures at an amazing level of quality, we still have
a huge number of packages that are maintained at an amazingly high
quality, we have a huge number of services that are administered in an
incredibly open manner with a pretty impressive level of uptime. None
of that means we can't or shouldn't be doing better, but I think it's
worth recognising that when we say we're not doing a good enough job,
*we* are still the ones setting and raising the bar.

Okay, this is going to get really long, so if you've read this far and
don't really care about any of the above areas, now's the time to skip
to the next message and get on with your life.

I think a good step is to cover what rights some of the more controversial
roles actually have, as best I understand it. Again, this is just meant
to be a description of what is, not necessarily what I think things
should be, or was originally intended or anything else.

  * Debian Account Manager(s) (DAM)
     - Joerg Jaspert and James Troup
     - delegated authority to determine who is a developer
     - may only exercise this authority in cooperation with keyring-maint
     - have created assisting roles in the form of FrontDesk and
       Application Manager
     - nm.debian.org documents current progress of active applications
     - numerous amounts of documentation and sample reports around for
       what form applications should take

  * Debian System Administration (DSA)
     - James Troup, Martin Schulze (Joey), Ryan Murray, Phil Hands
     - delegated authority to determine official Debian services via delegation of
       debian.org subdomains
     - delegated authority to determine unofficial Debian services via delegation
       of debian.net subdomains
     - default administrators (root@) for machines donated to Debian
     - have created db.debian.org for tracking machines and accounts
       and controlling debian.net subdomains
     - listed as group "adm" on DSA adminned machines
     - have a repository for customised packages at
         deb-src http://db.debian.org/ debian-admin/

   * System admin for <host> (root@<host>)
     - determined by owner/sponsor of hardware/bandwidth
     - responsible for security of machine
     - determines who is allowed access to host
     - determines what services are provided by host

   * Debian Archive Maintainer(s) (ftpmaster)
     - Ryan Murray, James Troup, Anthony Towns
     - responsible for maintianing the archive on ftp-master.debian.org
     - determines what may be accepted into the archive
     - determines the process by which software is accepted into the archive
     - listed as group "debadmin" on DSA adminned machines, have access to
       role user "dak" on DSA adminned machines
     - assisted by Joerg Jaspert, Jeroen van Wolffelaar, Randall Donald,
       Michael Beattie
     - ftpmaster and assistants are listed as group ftpteam on DSA
       adminned machines
     - maintain various bits of information about how the archive is
       administered at http://ftp-master.debian.org/ and have a
       developer-accessible mirror of the archive software on merkel.debian.org
     - BTS psuedopackage is http://bugs.debian.org/ftp.debian.org

   * Debian Kerying Maintainer (keyring-maint)
     - James Troup
     - responsible for maintaining the keyring containing public keys for
       all developers as used by DSA for db.debian.org, ftpmaster for the
       archive and others
     - provides http://keyring.debian.org/ interface to the keyring
     - maintains debian-keyring package
     - listed as group "keyring" on DSA adminned machines
     - assisted in the past by Michael Beattie
     - some procedures documented in section 3.2 of the developers reference
       and at http://keyring.debian.org/replacing_keys.html

   * Buildds...

       * Local admin of buildd
         - as per other root@ roles

       * Debian Buildd Administrator
         - Ryan Murray
         - maintains buildd.debian.org (wanna-build, wanna-peruse)
         - ensures buildd machines are up to date in cooperation 
           with local admins
         - with cooperation of DSA, manages access to wanna-build

       * Build log signer(s)
         - Ryan Murray, LaMont Jones, James Troup, Bastian Blank and others
         - also includes security team for security uploads
         - responsible for ensuring builds are uploaded regularly
         - responsible for ensuring builds pass basic sanity checks
         - must be able to assure themselves that the build machines they're
           signing for are secure
         - needs to be authorised by buildd local admin to upload
         - needs to be authorised by ftpmaster to be accepted into the archive

       * Wanna-build access
         - Ryan Murray, Steve Langasek, James Troup, Anthony Towns, others
         - schedule give-backs, binNMUs, etc
         - listed as group "wb-$arch" on DSA adminned machines (amd64
           included in wb-i386, mipsel included in wb-mips)

That's intended to be exhaustive and authoritative, but probably
misses some bits that I'm not familiar with or that simply slipped
my mind. That particularly applies to the buildd stuff, which I'm not
really very familiar with, and have generally tried to avoid looking
into in any depth.

In my opinion the only roles that have any "DPL delegation" part are the
ones I've described as "delegated authority" above -- ie, DAM's ability
to determine who's a Debian developer, and DSA's management of the
debian.org and debian.net domains. That opinion's not universally held,
though, and reasonable arguments as to whether other bits of the above
should be considered delegated could be made, and you could also question
whether there's any moral right for the DPL to claim control over those
couple of bits, when it's been other people who've been putting in the
work for years. I'm not interested in having that debate, so please feel
free to consider the above an official delegation or endorsement of each
of the above from me (as current DPL) in so far as that removes the need
to argue over form rather than function.

I'm not going to try to do a NPOV listing of problems that various
people see in all these roles. That would probably be a useful thing
to have, I'm just worried that I'd accidently leave some issue out and
that would be misinterpreted as meaning that issue isn't important,
or is less important than the ones I happen to remember.

Instead, I'll just talk about a few of the problems I'm familiar with,
and some of the ways they're being worked on behind the scenes, so that
that can be taken into account in future discussion.

A major complaint for many of the roles is often summed up in a single
word as "communication". Particular examples are when someone finds a
problem that needs fixing, but the knowledge of that problem's existance
doesn't make it all the way to the people that need to solve it; or when
the information that whatever it is is fixed doesn't make it's way back
to whoever reported the problem; or where people in general don't have
an idea of what these tasks actually involve, and hence are unable to
estimate what requests are likely to be easy or hard, or what actions
on their part might make their requests easier to deal with, or what
they might be able to do to help in general.

One of the causes for that is that role addresses remain the main way
of contacting people -- which means there's no tracking of issues, and
usually a lot of spam to wade through before even finding real requests in
the first place. For some roles, having a pseudopackage on bugs.debian.org
has worked reasonably well, however that's considered unsuitable for some
of the roles due to it's lack of privacy features (in the event that
DSA need to deal with sponsorship or security issues, or keyring-maint
is given personal information as part of keyring updates, eg) and that
the BTS is optimised for the workflow for package maintenance, which is
often a bad fit for some of the above roles.

DSA have been planning on addressing this by setting up an RT install for
use by at least themselves and keyring-maint, and possibly also for buildd
issues. This has largely been waiting on having a DSA-adminned machine
of sufficient capacity set up. That's been delayed for quite a while,
largely in preference to higher priority tasks including upgrading and
rehosting ftp-master.debian.org, upgrading bugs.debian.org, and dealing
with security issues and such as they arise. My understanding is that
the recent shift of bugs.debian.org from "spohr" to "rietz" has managed
to deal with the remaining task with a higher priority than setting up rt
(ie, upgrading bugs.d.o) and has freed up a sufficiently capable machine
(spohr) that rt can be installed on.

Beyond that, many of the queries, particularly for keyring-maint and
buildd issues, are ones that end up better dealt with by an explanation of
what the right way for the requester to deal with the problem is, rather
than the action actually being requested. One of the possibilities that
James Troup has mentioned in dealing with that is to have other people
acting as a first pass to deal with requests that don't actually require
action, and passing on the rest to a different mail alias, that's not
public and (hopefully) doesn't receive any spam either. That's likely
something that will become fairly easy to have happen when rt is setup,
so will probably wait until then.

To the best of my knowledge there's not currently any activity in
collecting any of the existing public information about those roles
or activities into more accessible documentation, beyond the regular
maintenance of the developers-reference package.

A more immediate concern for many people are the current delays in
the new-maintainer process at the "waiting for DAM approval stage",
in particular the "waiting for the DAM to create their account" stage.

This step involves two main activities -- the addition of an entry into
the db.debian.org LDAP database for the new maintainer, and the addition
of the maintainer's key into the keyring. The LDAP entry can only be
added by DSA members, and the key can only be added by keyring-maint,
and both these updates are only able to be made after the new-maintainer
process is complete and one of the DAMs has approved the application.

What this means in practice is that while Joerg Jaspert does a significant
majority of the DAM's task of reviewing applications and ensuring they
meet the appropriate standards, having his decisions take effect is
reliant on his co-DAM, James Troup, taking on his role as keyring-maint
and DSA member to finish the process. And while there are other DSA
members who could assist with the account creation and LDAP entry,
James is the only person able to update the keyring.

The primary reason why there's only one keyring-maint is the "binary
blob" problem: the keyring is a large chunk of 1's and 0's that cannot
be easily validated by a human directly, and doesn't have "source" that
can be easily validated either. As a consequence, if you have two people
working on the keyring, and one hands the other a new version claiming
that the only change is to include a new key for "foo", it's very hard
for the other maintainer to verify those are the only changes being made,
or why they're being made if someone asks later. This also makes it hard
to validate NMUs, and furthermore passing around unverifiable data over
the network adds an attack vector that's difficult to track. It also
makes it hard for an individual maintainer to check that the tools are
doing what they're supposed to be doing.

That's a technical issue, however -- one that seems like it should be
emminently solvable. Ensuring that any such solution is written in a way
that encourages auditability (of the code, of the input and of the output)
is an important part though, and I don't know that anyone even has a good
understanding of how that would be achieved. That probably means someone
needs to try to implement it, and then we can see what doesn't work.

This issue has been mentioned briefly in the past a few times, but to
the best of my knowledge, no one's taken up the challenge so far.

(FWIW, as a quick prototype, after downloading keys of everyone who has
a login on gluck via db.debian.org into "username.key" files, the command:

    for a in `ls --sort=s *.key`; do 
      gpg --no-auto-check-trustdb --no-default-keyring \
          --keyring ./TESTRING.gpg --import < $a 2>/dev/null;
      echo $a;

takes about 14m to run on my iBook G4. So it /ought/ to be possible
to build something that constructs a keyring from source files in a
reasonable amount of time. The resulting keyring is about 19MB fwiw.)

As I've said, the above is my understanding of things, and while I've
tried for accuracy, that doesn't mean there aren't errors. In particular,
the above is based on conversations with the people involved both recently
and in the past, and shouldn't be taken as an official report from any
of them because it's almost certain that new issues have popped up in
the meantime, that I've missed or forgotten some of the blockers or
other high priority issues, and that I didn't know or didn't think of
some of the resources available.

On a personal note, in my experience the most effective way of working
with James and Ryan is to trust that they generally know what they're
doing and more or less leave them to get on with making things better on
their own rather than hassling them for status reports or similar. "Just
leave them to their own devices" isn't something you'll see recommended
in management books, but when people are doing stuff that they care
about for fun, it's worth considering. A downside is that it makes it
hard to know how to help, and the only way I've seen to deal with that
is to pay attention to the occassional mentions of things that might be
appreciated and dive into them. YMMV of course.

That's pretty much the reason I haven't been poking into any of these
areas over the past year -- it's not simply that I trust that the folks
involved know what they're doing and are dedicated to Debian's goals;
but it's also that I think they contribute /better/ if they aren't
closely supervised. I think that's seen some results over the past
year, including much improved spam protection for debian.org addresses,
some neat improvements to the buildd website on both the backend and
the frontend, and a new and much faster ftp-master along with two
dinstall/britney runs a day, among other things.

I guess ultimately, I'm hoping that the rt stuff will make it easier to
retain that sort of "hands off" approach where it's useful while still
making it easy to see what's going on and where there are problems.

Well, that was absurdly long. Sorry. If it's any consolation, it's taken
me a lot longer to prepare and write this mail than it took you to read
it. :(

As far as what Debian's interested in doing about changing any of
the above, I figure that'll form part of the election debates anyway,
especially given they're only a couple of days away now.


Anthony Towns
Debian Project Leader

Attachment: signature.asc
Description: Digital signature

Reply to: