https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979

Would some of you who are pushing so hard to change the policy for Uploaders/ Maintainer in the team please step up and take over this package. It really needs updated to the new upstream release (blocking both aioquic and
dnspythong for me, I don't know about others).

I haven't done a comprehensive check, but I think morph asked for all the leaf packages he was maintaining in the team to be removed from the archive and is removing himself from uploaders/maintainer on others.

You all made this mess. Please clean it up.

Scott K
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAmXx45YACgkQeNfe+5rV mvHOdxAAwGStV+M4pccBoHuCh2v1PFbUkcH4124xGeNlvur7EDJxelP7D9IdKQ/c z6I1XVoc455ah04MU449OBbaWVdTrgRvZpHkWpo3lw2c7rRrp+nslWiGtvCxkaT+ stK9hq8psg0o9i3x1TQmvnmqOsqwYR2JygWP+tIMpJaFCXsUBlufXexyRc6QB8Tk h31jsSxQyxyasZtEtPxUZTYTx3MeaYT2CrnssHXioYQ/r/2GAaTWpE15aZ6akHWP fwB2VBMjNNB0dKVKSz+HLD3zbGxOfzYSsA6sY6PzMOCoqtkTFnPhgLIG+R3/w4UL PrsmaW718VXsLx9bWe2IzHxmPCkPOLfrkCCk/wj0Rm330SgtDk1U++1SiUrEzd+V RyDaU1EEwGykBops/oxXyEcPIDM4+mvTroA3PMJ5U9niQqAK1DAE16sAU+qwq9dm BTeAnEwKik6XExvrJvVlA3OgbJ3psujM7LO7lhZ1lJ6j7z8PSpqxPOO275F4Bt8f OxsqEDKvF8X6MXeu0VW0Xw7fVoYbWT4KIGb6zQnNjexBUNscntIE/JZnTvUfMEgW CbK3PJwU6e3YdCR7DJsL/9rCUDbBcbzuaPVqLidpuiWd61IjJ56eB9aMfoyNa3uD +jYyC1+n6cMdt1X0xhkrmlv5233JfwbVpSUv4a7i4Rca+6Lfg/k=
=Cxx1
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wednesday, March 13, 2024 1:34:14 PM EDT Scott Kitterman wrote:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979

Would some of you who are pushing so hard to change the policy for
Uploaders/ Maintainer in the team please step up and take over this
package. It really needs updated to the new upstream release (blocking
both aioquic and dnspythong for me, I don't know about others).

I haven't done a comprehensive check, but I think morph asked for all the leaf packages he was maintaining in the team to be removed from the archive and is removing himself from uploaders/maintainer on others.

You all made this mess. Please clean it up.

Actually, it looks like python-cryptography still has one uploader, but morph was doing work on the package, it's complicated, and could use more help, not less. Pyopenssl, on the other hand, is now unmaintained (no human uploader).

Scott K
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAmXycYYACgkQeNfe+5rV mvFNYw/9Ft6PwjIcdlC7LqzTNEq+Q/dNUmWmlgbCdLdhD+FdqQEen3rIowi2f4dJ fq+PxukLHPZfDTDWkfctXKDbspjnrPM+lnSbLnYj6umorBW3hzpY2ARPOGNmGOVU nVmqFGEehz10yeK+nlvK3WShN7jN9BP8esTlaBpPGbQY30QVeTZnwN6Sf4quTvTU zBkYHAohRoXkIh7XQLW0tLuXTSFQNPFMPsEvKNxBj1IUDBIFjqnzPedxov2sX3Z1 0Fd444XXga6l2usfU2VBfXk4CoLER4ds53SzlZYmbIbOGByryjsO2bNh6QKEIO6E iU4iYXjSCzgwyiZ2lSH1h6DiBHv5oRko1Hib7cTuiAAY4Kx+Ah9AM7tXb0xO7a0p mq7h+AJPo8B5ahhKlExniZ1ocLxudhVp5U11F94v1Pj+FMPe4Gzn06ZtDdUBtYXL lOII4Yiy6ECbh1beAyxbv0hImJcY8EA1V4I148/moZlmvK73KP+G8Php0EG9L/Dy g6tFNPRwFNa5J6BFoRm18bN0YiU4bB7B7NHqH4NVgK7wYZEUEPCzlKxNkJY/UK9T /bIgqf/x8gnLctVIf7F88NN15mg6eTkUrT+AE7QY2U4bqVrQHwKwouORu3eDX21v kQxevGxKGs7G6vhaLr1SnrDzeoUQEF2dr6/4npe71n9WZYSj8/I=
=4MjF
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Scott,

Am Wed, Mar 13, 2024 at 11:39:50PM -0400 schrieb Scott Kitterman:

On Wednesday, March 13, 2024 1:34:14 PM EDT Scott Kitterman wrote:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979

Would some of you who are pushing so hard to change the policy for Uploaders/ Maintainer in the team please step up and take over this package. It really needs updated to the new upstream release (blocking both aioquic and dnspythong for me, I don't know about others).

Reading the bug log of your request to upgrade this package has a hint
from Tue, 13 Feb 2024 [1] that some rust dependencies need updates
(thanks for the work on this Jérémy! BTW, I merged you 41.0.7-5 changes
into master branch and closed bug #1046569 manualy)

The discussion about Policy change started two weeks later[2]. I might
miss the point in the connection you are drawing here.

I haven't done a comprehensive check, but I think morph asked for all the leaf packages he was maintaining in the team to be removed from the archive and is removing himself from uploaders/maintainer on others.

Your request to speak up[3] was not heard. I would have prefered to
read constructive arguments instead of silent leaving the team (in the
sense of not informing the team mailing list about the leave).

You all made this mess. Please clean it up.

I think the good intentions[4] in your sentences here are that you
really care about this important package and you fear that it is left
alone. So thanks for the pointer.

What I did before your mail was sent:

python-cryptography (42.0.5-1) UNRELEASED; urgency=medium

* Team upload.
* New upstream version
Closes: #1059308 (CVE-2023-50782)
Closes: #1064778 (CVE-2024-26130)
Closes: #1063771, #1018159
* Reorder sequence of d/control fields by cme (routine-update)
* watch file standard 4 (routine-update)
* Enable building twice in a row
Closes: #1046569

-- Andreas Tille <tille@debian.org> Thu, 29 Feb 2024 10:20:49 +0100

Meanwhile I marked bugs #1059308 and #1064778 pending (they could be
even closed but its good to have some record inside changelog if CVEs
are involved[5]) I also closed bug #1018159 which remained open for
no good reason and closed #1046569 manually since it was not mentioned
in changelog of latest upload.

Jérémy did:

python-cryptography (41.0.7-5) unstable; urgency=medium

* AMAU, Closes: #1064979

[ Andreas Tille ]
* Enable building twice in a row

-- Jérémy Lal <kapouer@melix.org> Thu, 07 Mar 2024 13:42:35 +0100

Actually, it looks like python-cryptography still has one uploader, but morph was doing work on the package, it's complicated,

Since Tristan Seligmann went MIA the package was uploaded by:

-- Jérémy Lal <kapouer@melix.org> Thu, 07 Mar 2024 13:42:35 +0100
-- Sandro Tosi <morph@debian.org> Wed, 28 Feb 2024 12:23:58 -0500
-- Jérémy Lal <kapouer@melix.org> Thu, 08 Feb 2024 15:34:30 +0100
-- Jérémy Lal <kapouer@melix.org> Tue, 09 Jan 2024 01:14:48 +0100
-- Jérémy Lal <kapouer@melix.org> Sun, 07 Jan 2024 13:24:39 +0100
-- Nicolas Dandrimont <olasd@debian.org> Tue, 08 Aug 2023 17:16:11 +0200
-- Sandro Tosi <morph@debian.org> Tue, 28 Feb 2023 00:36:13 -0500
-- Stefano Rivera <stefanor@debian.org> Sun, 08 Jan 2023 16:31:04 -0400
-- Sandro Tosi <morph@debian.org> Thu, 15 Dec 2022 12:00:09 -0500
-- Debian Janitor <janitor@jelmer.uk> Thu, 19 May 2022 05:05:36 -0000
-- Stefano Rivera <stefanor@debian.org> Wed, 18 May 2022 12:22:15 -0400

Comment: Debian Janitor did not really uploaded the package. The
Uploader of the subsequent upload probably accidentaly forgot to merge
the changelog entries. The Upload
Sandro Tosi <morph@debian.org> Wed, 28 Feb 2024 12:23:58 -0500
is simply orphaning the package. BTW, "orphaning" is defined by setting
Debian QA team as maintainer. The package is not really orphaned but has
DPT as maintainer. I understand your worries about this package but
looking at these entries I do not see in how far the current status
looks that bad.

and could use more help, not
less. Pyopenssl, on the other hand, is now unmaintained (no human uploader).

Pyopenssl is lagging slightly behind upstream. Someone could care for
#1047548 but I personally ignore such bugs until other work on the
package needs to be done. I'm optimistic that someone will step up
as Uploader.

Kind regards
Andreas.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063771#10
[2] https://lists.debian.org/debian-python/2024/02/msg00052.html
[3] https://lists.debian.org/debian-python/2024/02/msg00060.html
[4] https://salsa.debian.org/python-team/tools/python-modules/-/merge_requests/21
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059308#25

--
http://fam-tille.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On March 15, 2024 7:19:16 AM UTC, Thomas Goirand <zigo@debian.org> wrote:

On 3/13/24 18:34, Scott Kitterman wrote:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979

Would some of you who are pushing so hard to change the policy for Uploaders/
Maintainer in the team please step up and take over this package. It really >> needs updated to the new upstream release (blocking both aioquic and
dnspythong for me, I don't know about others).

I haven't done a comprehensive check, but I think morph asked for all the leaf
packages he was maintaining in the team to be removed from the archive and is
removing himself from uploaders/maintainer on others.

You all made this mess. Please clean it up.

Absolutely not. Sandro did. There's btw absolutely no reason to declare a package as "orphan" if it is supposed to be team maintained. It's also a very bad behavior to do this silently, without telling the team about it, or taking part of the thread. I

very much regret things are happening this way, but I don't think the rest of the team should be held responsible.

If you have the list of the packages matching what you are saying, please do share.

On 3/14/24 08:52, Andreas Tille wrote:

I would have prefered to
read constructive arguments instead of silent leaving the team (in the
sense of not informing the team mailing list about the leave).

Me too. But I'm not surprised.

I didn't have a list, I'm glad someone went through and made one.

Yes, he might have handled his departure from the team differently, but I found the entire discussion about changing the team policy on setting the maintainer very off putting. I haven't talked to him about it beyond making sure he was aware of the
discussion, so I don't know why he handled it the way he did, but I can easily imagine he was quite frustrated.

Frankly, I think statements like the above aren't particularly consistent with the project CoC and have me thinking again about if this is the kind of team I care to be involved with.

While the way he left the team is on him, the fact that it even came up is 100% on the people pushing this change. I don't think there's any evidence that some other reason is the cause.

Also, for packages which are team maintained, but only have one uploader, orphaning is exactly the correct thing to do when that person gives up the package. A human uploader is required. Similarly, it's the maintainer's call if a package should be
removed or if it can remain maintained by QA. While I agree more communication would have better, those are entirely appropriate actions for a team maintained package with a single uploader.

Scott K

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On March 15, 2024 3:47:25 PM UTC, Thomas Goirand <zigo@debian.org> wrote:

On 3/15/24 13:52, Scott Kitterman wrote:

On March 15, 2024 7:19:16 AM UTC, Thomas Goirand <zigo@debian.org> wrote: >>> On 3/14/24 08:52, Andreas Tille wrote:

I would have prefered to
read constructive arguments instead of silent leaving the team (in the >>>> sense of not informing the team mailing list about the leave).

Me too. But I'm not surprised.

I didn't have a list, I'm glad someone went through and made one.

Yes, he might have handled his departure from the team differently, but I found the entire discussion about changing the team policy on setting the maintainer very off putting. I haven't talked to him about it beyond making sure he was aware of the

discussion, so I don't know why he handled it the way he did, but I can easily imagine he was quite frustrated.

Frankly, I think statements like the above aren't particularly consistent with the project CoC and have me thinking again about if this is the kind of team I care to be involved with.

Which part? The one where I am saying that I'm not surprised? That in no way should be taken badly, or as an attack on him. Let me explain then.

I too, would prefer if Sandro didn't leave, even if I had difficult moments when communicating with him. I stated it already, I did appreciate his contribution to the team, and to the project at large.

Though it's a fact that I was not surprised, because you mentioned it. We knew in advance it could happen. Looking backward, it seems it was inevitable, unfortunately.

I'd be very sad to see you go as well, please stay.

While the way he left the team is on him, the fact that it even came up is 100% on the people pushing this change.

I do not agree. It came up because what it was generating (frustration, flames about "rogue uploads", you name it...) had to be addressed.

My level of frustration is not declining.

I suggest to you that the source of the emails about rogue uploads were the rogue uploads. I think that not following the rules and then complaining that people called you on not following the rules has an obvious source.

This was an avoidable own goal on the team's part because, in my judgement, there was too little openness to diversity of opinions on how to do things.

Scott K

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi!




On Fri, Mar 15, 2024 at 4:19 AM Thomas Goirand <zigo@debian.org> wrote:

On 3/13/24 18:34, Scott Kitterman wrote:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979

Would some of you who are pushing so hard to change the policy for

Uploaders/

Maintainer in the team please step up and take over this package. It

really

needs updated to the new upstream release (blocking both aioquic and dnspythong for me, I don't know about others).

I haven't done a comprehensive check, but I think morph asked for all

the leaf

packages he was maintaining in the team to be removed from the archive

and is

removing himself from uploaders/maintainer on others.

You all made this mess. Please clean it up.

Absolutely not. Sandro did. There's btw absolutely no reason to declare
a package as "orphan" if it is supposed to be team maintained. It's also
a very bad behavior to do this silently, without telling the team about
it, or taking part of the thread. I very much regret things are
happening this way, but I don't think the rest of the team should be
held responsible.

If you have the list of the packages matching what you are saying,
please do share.

I think you are looking for this https://lists.debian.org/debian-python/2024/03/msg00045.html

On 3/14/24 08:52, Andreas Tille wrote:

I would have prefered to
read constructive arguments instead of silent leaving the team (in the sense of not informing the team mailing list about the leave).

Me too. But I'm not surprised.

Cheers,

Thomas Goirand (zigo)

<div dir="ltr"><div dir="ltr">Hi!<div><br></div><div><br><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 15, 2024 at 4:19 AM Thomas Goirand &lt;<a href="mailto:zigo@debian.org">zigo@debian.org</a>&
gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 3/13/24 18:34, Scott Kitterman wrote:<br>
&gt; <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979" rel="noreferrer" target="_blank">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064979</a><br>
&gt; <br>
&gt; Would some of you who are pushing so hard to change the policy for Uploaders/<br>
&gt; Maintainer in the team please step up and take over this package.  It really<br>
&gt; needs updated to the new upstream release (blocking both aioquic and<br> &gt; dnspythong for me, I don&#39;t know about others).<br>
&gt; <br>
&gt; I haven&#39;t done a comprehensive check, but I think morph asked for all the leaf<br>
&gt; packages he was maintaining in the team to be removed from the archive and is<br>
&gt; removing himself from uploaders/maintainer on others.<br>
&gt; <br>
&gt; You all made this mess.  Please clean it up.<br>

Absolutely not. Sandro did. There&#39;s btw absolutely no reason to declare <br>
a package as &quot;orphan&quot; if it is supposed to be team maintained. It&#39;s also <br>
a very bad behavior to do this silently, without telling the team about <br> it, or taking part of the thread. I very much regret things are <br>
happening this way, but I don&#39;t think the rest of the team should be <br> held responsible.<br>

If you have the list of the packages matching what you are saying, <br>
please do share.<br></blockquote><div><br></div><div>I think you are looking for this <a href="https://lists.debian.org/debian-python/2024/03/msg00045.html">https://lists.debian.org/debian-python/2024/03/msg00045.html</a>  </div><blockquote class="
gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

On 3/14/24 08:52, Andreas Tille wrote:<br>
 &gt; I would have prefered to<br>
 &gt; read constructive arguments instead of silent leaving the team (in the<br>
 &gt; sense of not informing the team mailing list about the leave).<br>

Me too. But I&#39;m not surprised.<br>


Cheers,<br>

Thomas Goirand (zigo)<br>

</blockquote></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)