Re: Package namespace grab

To: deity@lists.debian.org
Cc: Thorsten Alteholz <debian@alteholz.de>, Johannes Schauer Marin Rodrigues <josch@debian.org>, simon@josefsson.org, ftpmaster@debian.org
Subject: Re: Package namespace grab
From: David Kalnischkies <david@kalnischkies.de>
Date: Sat, 20 Jan 2024 02:27:58 +0100
Message-id: <[🔎] dgfqwh2pywrsgfiwnnip7f3ilqph6lc73c5d5k2gzeypxhywjh@qfzazlbpwtyx>
Mail-followup-to: deity@lists.debian.org, Thorsten Alteholz <debian@alteholz.de>, Johannes Schauer Marin Rodrigues <josch@debian.org>, simon@josefsson.org, ftpmaster@debian.org
In-reply-to: <[🔎] 0ab2ae03-c931-4acd-a253-7a1338e38774@alteholz.de>
References: <CAENgTz0hL8VQnFhvsijnZY0nvrK1t5M0TE2KApm_+pkN55FXyw@mail.gmail.com> <e6jgyeozagwksrmoc5hbsp52jufxj63ixtmjpk5d5z27ibunkx@2mtu4eqb2yf3> <[🔎] 170561115218.2567051.7462695382480730305@localhost> <[🔎] 0ab2ae03-c931-4acd-a253-7a1338e38774@alteholz.de>

On Fri, Jan 19, 2024 at 07:12:25PM +0100, Thorsten Alteholz wrote:
> On 18.01.24 21:52, Johannes Schauer Marin Rodrigues wrote:
> > I hope that letting this package through NEW was just a slip-up by FTP masters?
> > If not, what was the rationale to allow for a package to grab the namespace of
> > such an important Debian utility?
> 
> are you aware of apt-build, apt-cacher, apt-clone, apt-forktracer, and many
> of the other apt-* packages?
> What makes you think that there is a namespace for apt-*?

It isn't about the namespace (for me) as much as it is about the name
"apt-verify" itself and what that name suggests to innocent users
– and on top of that how it is implemented and presented.

Can I upload a package named "debian-security". Sure, but is it
a good idea? Probably not if e.g. the security team would find that
misleading. And they probably will if they have never heard from me
before and I don't even interact with them if prompted.

Can I upload a python2/gtk2/qt4/…-only package today? Of course I can,
but someone will (hopefully) point out that this not a good idea.

Can I open an ITP, get replies and completely ignore them?
Sure, but is that a good example of how to interact with the community?
What is the point of an ITP if this is the result?

Do we usually ship things that even its own upstream consider a hack?
While also being about security? Against a truly Debian native package?
I take home that uploading a package matching 'ssh*' is worthy of
opposition based on d-d@l.d.o, but 'apt*' is fair game.

Do some tools exist in the apt* namespace that I would wish would be
called differently? Sure. Heck, I wish apt would be called differently.
Does that mean we have to agree to all future mistakes, too?

I could go on, but I don't think that actually leads us anywhere.

And to be clear: I am not blaming anyone for anything,
I am "just" a bit disappointed in how this went down, but
if that is how we wanna play this…

Mostly disappointed in me through as I naively envisioned the
interaction to be completely different while replying to the ITP.

> > What went wrong here such that this package went through despite these reasons
> > against it? Am I missing something?
> 
> Yes, if the software does not work, file a bug. Despite the announcement of
> Julian, there is no RC bug filed for apt-verify yet. At the moment the

(Julian has taken another approach, which I am not 100% agreeing with,
 but that effectively amounts to the same thing as an explicit RC bug
 would in some sense … old testament style: eye for an eye, I guess)

My approach would have been what I said in a lot of words in the ITP
already: Do whatever you want, I have no way of stopping you, but
I would have preferred if we had talked about this beforehand &
know that I will not only not pick up the broken pieces that will be
the result of this, but also be upset when (not if, as experiences
shows) anyone blames me/us for the broken pieces; so I hope you
reconsider.

(At least I am usually committed to unbreak use cases even if they are
 of the xkcd#1172 kind, but even I have limits that I like to be upfront
 about if I can, so that people know what they can expect from me or not
 – and for my own mental peace while dealing with the fallout)

> software seems to work and whatever will happen after 2030 is no reason to
> forbid something now.

2030 isn't our concern either. Julian started with "apt-key use is slated
for removal no later than Feb 29th." this year, so that package as it
stands will work for a bit more than a month at most after which it will
silently not work anymore. That is a pretty short shelf life (assuming
we aren't bullied into extensions again).

You can read about apt-key being deprecated and slated for removal for
years now, so that implementing tools based around it and bring them to
Debian without ever even asking if that is a good idea feels a bit
hostile especially if as cherry on top feedback on the ITP that brings
it is completely ignored.

Didn't think my mentioning this one as an example of why/how what I say
can be ignored in another instance would trigger a response… next time
I will not use linking and instead use embedded copies for that concept
(On the upside, at least in that instance a better outcome might have
 been achieved for everyone's benefit; if not the ideal outcome.
 I suppose a prophet is really not honored in his own name^Whomespace).

Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Package namespace grab (was: Re: Bug#1061111: RFS: dpkg-buildenv/1.0.0 [ITP] -- Builds debian packages in a docker container.)
  - From: Johannes Schauer Marin Rodrigues <josch@debian.org>
- Re: Package namespace grab
  - From: Thorsten Alteholz <debian@alteholz.de>

Prev by Date: Bug#1054137: apt: let dh_installsystemd choose the location of units
Next by Date: Re: Bug#1059267: ITP: apt-verify - extend apt's gpgv-based verification mechanism
Previous by thread: Re: Package namespace grab
Next by thread: Bug#993287: marked as done ("apt-get install" doesn't preserve autoinstall status of upgraded packages)
Index(es):
- Date
- Thread