| 1 |
On 11/17/2016 01:07 PM, Robin H. Johnson wrote: |
| 2 |
> On Thu, Nov 17, 2016 at 03:05:41PM +0100, Kristian Fiskerstrand wrote: |
| 3 |
>>> Isn't it implied that any stabilisation is approved by the maintainer? |
| 4 |
>>> Has it ever been acceptable to go around stabilising random packages? |
| 5 |
>>> |
| 6 |
>> |
| 7 |
>> Explicit > Implicit when we're updating things anyways. |
| 8 |
>> |
| 9 |
>> There are scenarios where e.g Security is calling for stabilization , |
| 10 |
>> I'll add some info to the draft security GLEP with some requirements for |
| 11 |
>> when this can happen without maintainer involvement as well.. |
| 12 |
>> |
| 13 |
>> Ultimately maintainer is responsible for the state of the stable tree |
| 14 |
>> for the packages they maintain and should be taking proactive steps for |
| 15 |
>> this also for security bugs, it doesn't "always" happen like that..... |
| 16 |
> |
| 17 |
> The interaction of this proposal and the prior discussion of allow |
| 18 |
> maintainers to document the maintenance policy of given packages is |
| 19 |
> where it would really come into play. |
| 20 |
> |
| 21 |
> Using two packages for examples: |
| 22 |
> app-admin/diradm: I am the upstream author as well as the package |
| 23 |
> maintainer. I care about it being marked stable. I'd prefer the normal |
| 24 |
> policy of other people asking me (with timeout) before touching it. |
| 25 |
> |
| 26 |
> app-admin/cancd: It's a very obscure package that I put in the tree |
| 27 |
> because I needed it, but I haven't personally used it in many years. |
| 28 |
> I fix the packaging if it's broken only. |
| 29 |
> I'm inclined to mark it with 'anybody-may-bump/fix/stabilize'. |
| 30 |
> |
| 31 |
Agreed. For most of my packages, I really don't mind since we're all |
| 32 |
working on Gentoo together, but it'd be super helpful if I was simply |
| 33 |
notified in the event that a package I maintain has gotten a security |
| 34 |
bump, patch, or stabilization. Sure, 'git log' and 'git blame' can |
| 35 |
explain a few things, but if I was going to edit a package, I have the |
| 36 |
maintainer's e-mail available right there in metadata.xml. To me it's a |
| 37 |
courtesy that should be a requirement by default, while devs that don't |
| 38 |
care can use whatever means we agree upon to indicate that they don't care. |
| 39 |
|
| 40 |
This creates a "contact first" practice, which it seems we want to |
| 41 |
encourage. If someone isn't responsive and/or away, that complicates |
| 42 |
things, but if it's a security concern or the last blocker in a big |
| 43 |
stabilization effort (looking at you, tcl 8.6...), then it makes sense |
| 44 |
to just go ahead and make the bumps necessary. |
| 45 |
|
| 46 |
-- |
| 47 |
Daniel Campbell - Gentoo Developer |
| 48 |
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net |
| 49 |
fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 |
Archives