Hi all.

Johannes Schauer Marin Rodrigues <josch@debian.org> writes:

slightly related question: if I upload a new version to NEW, will the Age of the package be reset? I'm asking because my package has been in NEW for four months already and I'd like to avoid loosing that place by an upload of a new upstream version.

Every time I see stories like this, I wonder what the consequences of
the NEW queue's current workings are. This is *not* criticism of the
heroic work of the FTP Masters, nor is it criticism of the objectives
they have in processing the NEW queue. I do, however, worry that months
of waiting to see the fruits of one's labor might be detrimental to
attracting new contributors, or indeed to motivate already active
ones. It also seems to be a not insigificant impediment to getting
useful work, such as a SONAME bump, done quickly. At least personally, I
find it harder to put in small pieces of work that result in incremental improvements if the result is having to wait months – with the added uncertainty of having to do it all again (for good reasons, but
nevertheless).

It may well be that I'm asking the impossible here, but it does seem to
be a problem that other distributions don't suffer under to the same
extent. Is it merely a matter of their standards being lower, or is
there some room for improvement on our part?

Apologies in advance if this is something that has been discussed a lot
in the past. I'd be very interested in being pointed in the right
direction in that case!


Best,
Gard


--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEz8XvhRCFHnNVtV6AnRFYKv1UjPoFAmGWME4SHGdzcHJAbm9u ZW1wdHkub3JnAAoJEJ0RWCr9VIz6WtwP/im1UQ/Ois52kUFVzZl8RXLDGNKQP8tt lLXmi7VW5tQvdj/+uDI9EIgr95VgdOIPB9dMNo09j/j7zqCrBW5t1TwMmF4/eJtx WSeCPsmyNQm/5/IcFVapqpvAB87tRn7rd1SrTBG1r0MHaWC/6qsPAytkNA4Nc/bN Fp54btVSV0DiqZbor48iJRdD7lUEB1i6UHNqEIEt6sZ/48Aq1oEKbw3BimM7xInq 0geLK4+dhwXCed+Prh/2AT27VRdi0l9p0ld7smuyj5DqvBlmZ/+8akWIlsjL6c0P a55eNiKIVjZ1U66nfvQiLBxrbTv8sauFl84E6zl0i0KxhmUMnzV+wHbZr0ZSU9/a LPzHgfW01FgTqZGseS+xwfbkl8Uhn6pWGRJvFukpZ5CLFcCFag5r6sDLJZeyHeoC uBn9QHhv3h680xxt0V4mMGONOmXOOtoQmko6ufG0gtJy6DaXjuqa9BtA/4OJc+H0 1YfyF1MqSbKAD9ezAk4ZB+m+g1Gc+5jPboIeOpNj50TfQauTdVjEcgyD+1saVKNf qJf+C1ro0JGwwj9ZHgb7fsYwxN0aa+tfUvFrZZxjyFnOKBkvfzJYqN7hTay0/6I/ WSrZSwB6till2MnbkrZbWmVe+TwxlFWk4Kt7i0bhp7sRig/aDaLJXuuDTNUhfVBv
m4vHOD8S28ry
=/l53
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi list,

On 18/11/2021 11:51, Gard Spreemann wrote:

Apologies in advance if this is something that has been discussed a lot
in the past. I'd be very interested in being pointed in the right
direction in that case!

No need to apologize... searching the the devel archives on "NEW queue"
reveals multiple discussions. One IMHO important thread starts at https://lists.debian.org/debian-devel/2020/02/msg00118.html.

Another thread is about the NEW queue being more or less cleared about a
year ago: https://lists.debian.org/debian-devel/2020/11/msg00017.html


Cheers!
--a

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 18, 2021 at 11:52 AM Gard Spreemann <gspr@nonempty.org> wrote:

Every time I see stories like this, I wonder what the consequences of
the NEW queue's current workings are. This is *not* criticism of the
heroic work of the FTP Masters, nor is it criticism of the objectives
they have in processing the NEW queue. I do, however, worry that months
of waiting to see the fruits of one's labor might be detrimental to attracting new contributors, or indeed to motivate already active
ones. It also seems to be a not insigificant impediment to getting
useful work, such as a SONAME bump, done quickly. At least personally, I
find it harder to put in small pieces of work that result in incremental improvements if the result is having to wait months – with the added uncertainty of having to do it all again (for good reasons, but nevertheless).

It may well be that I'm asking the impossible here, but it does seem to
be a problem that other distributions don't suffer under to the same
extent. Is it merely a matter of their standards being lower, or is
there some room for improvement on our part?

I don't know if that has been proposed before, but how about waiving
the NEW queue requirement for experimental packages as a start? This
would allow us to work with new packages or soversion updates, and the transition through NEW to "unstable" could happen at the same time
(i.e. upload to unstable for NEW and uploading again for
experimental). Since packages in experimental will never land in any
official release, I think dropping the NEW queue requirement has no
negative impact.

One could also go further and do this automatically for unstable ->
testing (all package uploads allowed to unstable, new ones have to be
approved by the ftp-masters before they can transition).

Regards,
Stephan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 18, 2021 at 02:52:56PM +0100, Stephan Lachnit wrote:

I don't know if that has been proposed before, but how about waiving
the NEW queue requirement for experimental packages as a start?
[...] Since packages in experimental will never land in any
official release, I think dropping the NEW queue requirement has no
negative impact.

This makes no sense as NEW is mostly about checking licenses.

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmGWYwctFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh zJQP/2qvaTQnKLdFfO720WkV6mYMjC4/NDD0UNzGXr8caorhd+aEroT8UFRbxp9a vKgAsK/Zu4k5W2KmgI9l+bIrv5JCRcNMKC7n4fD8NjJJhd1BXlXgX4+MrH0S1+xd emr015JoEJXvfSXUycq2ewPyI5YGbNnZOcZa9kEr2tEld6G0QysBrpkmGp38zkZ3 PMN5niTpndqrvbbGhGyEHCbFza1VN/U5p25Js/Js9bqtNdiO9M7oHrA63IRnl9fa J41lRgWK2wzTrPahjqPCOHgkcB3zaEQljQW3PjsFbQQc4aDZBqnlW6c00qVaPjBm nh8tHuK+ZcsNTX8sHFA2pn3GiTl9m28DTzMt5onNlHTaB6YTq9O8IL3g4PbAgOMV A4NLyiAmUBHBRKTsF4l6Ke2ZBhv7kBcXNWzka4uCNlQQaiT7a2ED74QKlGiPh9md n4KUaz9epseUFkJdMUDypF1K5dcS4c/oIiwY3XeCBFF4NOANCDws2XouZSnO4YeM KAHTy6IgF6QAj91jvFBA6dBkpDJ9hs4Vec1cDMnaCcwLG+fd6pIIDG4XoqYeSGEE dI2+DXsfzEb+ciV8RRf9A11U1CBiIa7hw1HP874DqbTkJsymDfHkCMNIvHfnEJsL qHQCSr6qF/s2afB601CW2V0kYYKpg250wtj76hfZJ/vVqfef
=E8Dg
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2pxUZdmPtw2Aqy7ac71EW7GOMLpViPo4v
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hi,

On 11/18/21 4:08 PM, Stephan Lachnit wrote:

I guess this raises the (maybe already answered) question if the
additional license QA from NEW is for the end-product (i.e. Debian
stable) or for the servers that run the Debian infrastructure, which
of course includes experimental.

The latter.

The license must allow Debian to redistribute the package. This is
checked very thoroughly on the initial upload, and updates are expected
to keep the same licensing. Whether that expectation still holds with upstreams who prefer vendor copies over using external packages is
another matter, but in general these packages require more handholding
anyway.

Simon


--2pxUZdmPtw2Aqy7ac71EW7GOMLpViPo4v--

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEtjuqOJSXmNjSiX3Tfr04e7CZCBEFAmGWbi8ACgkQfr04e7CZ CBEDhwf/fzq1roh9ZX+wwnVWo8ASFatX6Gp/uMSLwAqxsYhM4EtqV0EBGq1iqws8 axLGItYPhaKQ6Lkq1/q32NZZ+TwsJJrRM8sTM8iudeWfPCE8DuZzXxAS7yfYc/3s i1FCbmhdQraKrMDy/Y2EDpixTXWi8DJr9SoSLeOGw6CNyFPUD7gf2JsflFjcqln1 dp4axFYENf0EpgE34UjwJF1aUw0er+duauALyQLeHoIafTBbkdC0x4Iv+Bdat6yX Z8GnUW/R3dU+djewQ5kPmB4DHFrPD3EVa6Ct2DcrG/UDIrV67V9Xm6vvuZKWzdGV 68D6uCKT8uIoTRn/C3+qtBOoLP4YYg==
=BnCv
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 18, 2021 at 3:28 PM Andrey Rahmatullin <wrar@debian.org> wrote:

On Thu, Nov 18, 2021 at 02:52:56PM +0100, Stephan Lachnit wrote:

I don't know if that has been proposed before, but how about waiving
the NEW queue requirement for experimental packages as a start?
[...] Since packages in experimental will never land in any
official release, I think dropping the NEW queue requirement has no negative impact.

This makes no sense as NEW is mostly about checking licenses.

I think this is exactly why it makes sense. I think we can trust the
DDs to not make any large mistakes (e.g. putting steam in main). Since
packages in experimental aren't supposed to be used by anyone else but
the DDs themselves, the "damage" of a potentially missing / wrong
license is minimal, considering that DDs are aware of the fact that
the packages aren't "official".

I guess this raises the (maybe already answered) question if the
additional license QA from NEW is for the end-product (i.e. Debian
stable) or for the servers that run the Debian infrastructure, which
of course includes experimental.

If it's the latter, then of course this proposal doesn't work. However
I find that view a bit weird. Any update can change the license or add
new files with different licenses, nothing is ever checked by the
ftp-masters (that would be insanity). My conclusion thus is that the
NEW queue is more of an additional QA than a full legal coverage for
the archive, and thus I don't see a problem with unchecked packages in experimental.

Regards,
Stephan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 2021-11-18 at 19:28 +0500, Andrey Rahmatullin wrote:

On Thu, Nov 18, 2021 at 02:52:56PM +0100, Stephan Lachnit wrote:

I don't know if that has been proposed before, but how about waiving
the NEW queue requirement for experimental packages as a start?
[...] Since packages in experimental will never land in any
official release, I think dropping the NEW queue requirement has no negative impact.

This makes no sense as NEW is mostly about checking licenses.

Completely naive question that has probably already answered a million
times, but: why then not limit to new source packages? Bumping an ABI
or adding a new tool is as likely to imply a license change as any
other version upgrade that doesn't result in new binary packages from
the same sources.

--
Kind regards,
Luca Boccassi

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErCSqx93EIPGOymuRKGv37813JB4FAmGWbg8ACgkQKGv37813 JB6glBAAhADY5PArZpz7902epN4FcZMNoOSypUvGyns2+M9kH7WTW2yJehl1IqjI RdVMf3MjTUsCVrQvk39suhc1Fx77tFVwAfqCYzhXWa91GwhbAHcQsWHZ8QFVMHX1 6Nc07ZHEW4OCRulOAj+95yehLzgTXaLaQNBCzLUrSjTxSOqVc5IgubNNd9fyh41W F2915YwoRf1cQvuwLafYxKhQ02WkcB2UUjLlBnM1yi6SJw/TxxREUbX6zCDs0Mzb IIEjWR0m3NEF3iLDV188MmKXO+ImL92se73AR+ZPlx+RvrHMafxiq7OJPcq2fgdG 9V45wCLMrUDBBGSvF3sdbfWTY+5Z+i1c2pxFACnJdNSyBEq/adw9NloY7tN6MLkf hgW4gJ7X/N3YvNkkTM1LYjN0YWVpv/b56upQS1Q7Hyx9K+SYQhuqmKsVTd/VKqeF Gp0k+cLa2ybUUWlp0xvUyk8k/Zl28hxwmTX6pfEBBW7XJ3BDXVU5dXXcoPGaY7f9 xmR57LNwUQsXgpNa3lu4MZX9aDLCayr/xinzWEjttvC7OuMuSrzVvtAK4cnzaEqr PlThwZFrVubiJZYN6RsKrWwDLACXEr3QBZlhgNCZ/Xay2n0tVXyw1B8O3XMET/OZ FGvMq3Zd1DygtEx5SiMJDgsQ1dpSF+ku4B8iO1USy/8SVYrGdyY=
=teKa
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 18, 2021 at 04:08:23PM +0100, Stephan Lachnit wrote:

I don't know if that has been proposed before, but how about waiving
the NEW queue requirement for experimental packages as a start?
[...] Since packages in experimental will never land in any
official release, I think dropping the NEW queue requirement has no negative impact.

This makes no sense as NEW is mostly about checking licenses.

I think this is exactly why it makes sense. I think we can trust the
DDs to not make any large mistakes (e.g. putting steam in main).

The existence of NEW means we currently don't, for completely new
packages.

Since packages in experimental aren't supposed to be used by anyone else
but the DDs themselves, the "damage" of a potentially missing / wrong
license is minimal, considering that DDs are aware of the fact that the packages aren't "official".

The "damage" that's usually being discussed is Debian distributing
something we can't, not users e.g. getting non-free software thinking it's free. Packages in NEW aren't even publicly accessible because of this,
and discussions of switching to git-based source packages end with "we
can't publish git history of random repos as we don't want to review
and rewrite it".

However I find that view a bit weird. Any update can change the license
or add new files with different licenses, nothing is ever checked by the ftp-masters (that would be insanity).

Sure.

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmGWcTgtFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh I3QP/07wnA/RRk+mpW1kqPQRmrCLFfD/cOX/lemyvmKw0E26qmNZTnMB2cIxkfa2 UGyT1pVoI6JfYou3RbDj3j7T3Eohi76aNn8Rv85ftG+/q1zMCB29UC9Flz+ZQFH3 z9OB8lYGdDgWFqQ4W6Mh3S3B9zKvKgM8MhkYKqBEd+1J7/7s16kbXQ4RkjcJ133l aV4jnd47N1ghBujBnF0XxrNPhvFF7Wo89MxMrXY2SU2QvjlvW+i+9mjA6h4QFK+n awL2/nQinG1bivajXW7gIs5HQjTTJUXFywzq6+OHllZmWcjHsEtJT/AOgbILbtS2 oNfO+5l/JNZeF0bM6RKKx6FvKAxJ1QqsoPcVL4cIqtrJfXCmNnHpun2swFTK3d1E 0Kxcml05WFoQENu1lT5adaKLu1mP9tXaBDQlreWLiWrkZpq4wc+CBvpSZxT+JCIN J2aQEfdV2s6FwkVahCdzYkh2e40x0kJysasggCFuArq87AAaYMrM7Ww87FAtqKvC Nthk9rRC3QniOBrqCBfamh+sAw2lq2UnTsw636HNgEO6u+CvCxp5kxXTnJoZ/6Ss pG2h2sUajopHP/c4ilyOrv5oSLLRRM4OPhIs4zHhZ8yLNNKVX3ZZOc0HSQiMdabY S/NrM+pKT4PB0OP/EI+UjUaLRnpXqNSTiUjr7LyNCA5KRvn5
=2deR
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 18, 2021 at 4:16 PM Simon Richter <sjr@debian.org> wrote:

On 11/18/21 4:08 PM, Stephan Lachnit wrote:

I guess this raises the (maybe already answered) question if the
additional license QA from NEW is for the end-product (i.e. Debian
stable) or for the servers that run the Debian infrastructure, which
of course includes experimental.

The latter.

On Thu, Nov 18, 2021 at 4:29 PM Andrey Rahmatullin <wrar@debian.org> wrote:

On Thu, Nov 18, 2021 at 04:08:23PM +0100, Stephan Lachnit wrote:

I think this is exactly why it makes sense. I think we can trust the
DDs to not make any large mistakes (e.g. putting steam in main).

The existence of NEW means we currently don't, for completely new
packages.

I guess these two answers sum it up then. Thanks.

Regards,
Stephan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Stephan Lachnit <stephanlachnit@debian.org> writes:

On Thu, Nov 18, 2021 at 4:16 PM Simon Richter <sjr@debian.org> wrote:

On 11/18/21 4:08 PM, Stephan Lachnit wrote:

I guess this raises the (maybe already answered) question if the
additional license QA from NEW is for the end-product (i.e. Debian
stable) or for the servers that run the Debian infrastructure, which
of course includes experimental.

The latter.

On Thu, Nov 18, 2021 at 4:29 PM Andrey Rahmatullin <wrar@debian.org> wrote:

On Thu, Nov 18, 2021 at 04:08:23PM +0100, Stephan Lachnit wrote:

I think this is exactly why it makes sense. I think we can trust the
DDs to not make any large mistakes (e.g. putting steam in main).

The existence of NEW means we currently don't, for completely new
packages.

I guess these two answers sum it up then. Thanks.

There is also the issue of cryptographic software, and the laws
regarding its export from the USA, which Debian deals with by treating
every package as though it _might_ at some point incorporate some
crypto, and therefore registering every package with BXA as part of the
NEW process.

https://wiki.debian.org/USExportControl#Cryptographic_software_in_Debian_main_archive

This may seem like a lot of silly nonsense, but apparently Debian's
process is considered the gold standard by which they judge others, and
I'd assume that one important factor there is that there is no back-door
route by which we publish things from our mirrors prior to them going
through this registration dance.

Cheers, Phil.

P.S. depending upon what exactly you're trying to do with pre-NEW
packages, this may be part of the solution:

https://salsa.debian.org/salsa-ci-team/pipeline/#using-automatically-built-apt-repository
--
|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
|-| http://www.hands.com/ http://ftp.uk.debian.org/
|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3/FBWs4yJ/zyBwfW0EujoAEl1cAFAmGWnCIACgkQ0EujoAEl 1cBWZA//RXkyjLeMt+HFqG6cGl3qu/LssfZNrdLYqxBrKEsWQSD4WRPNLEtDLgb5 oCEpoQXO2hckunE8yMr860XRsMHKzvo77Hi14n9rc7nSApVwVTK7+khlsAM8ypgJ enfK4HMdz0/overfU/vHjLGdE0kYiZpvXz7u9myk0dFVEXHVfdVN7Hqd8FWBQ48G f4JKWwoZmFoI/BAHb3Jm8Pof70KuDZsTMvYjbz0a7M3lCMTNMDsOW12ptKUv617P NlMu0xXUkZsIA5Ym6LYCdAHV5xLoWTKMeMObIEDZsx3ZmJ/NcvDJ0gv1aoUDqyyE 8Vr71JHRD0rKYMJqR9pFkatIkKgc0yxaSP7PKwRlZBt6oMxtJjtn1LbffBCey8vU FVUjrswkTh37qI1ORIR8W9LMgHSFMMJdywzoykYxPkBeh15w6vcWU9Ty3vIhAWBo CY/s6+HQojEHfnBmQhZmEG2BIvP4yooWrvozsI86vVK5qT3CcrkzxAzJMtnTxHS4 3uf4xeiRp4cRY4rLoFBoLEMUSWSPtP1sYwe4tLEsPpeUSwibjQQURZQxEP1wW/2Y +yEpBUQSj/D8JR8czIY6uYxunEs1EhLveqz8RZdbbkhxZVZlRpNHSy/UdswKBXLE Zs3knJLuud+up46

On Thu, 18 Nov 2021 at 19:28:28 +0500, Andrey Rahmatullin wrote:

On Thu, Nov 18, 2021 at 02:52:56PM +0100, Stephan Lachnit wrote:

I don't know if that has been proposed before, but how about waiving
the NEW queue requirement for experimental packages as a start?
[...] Since packages in experimental will never land in any
official release, I think dropping the NEW queue requirement has no negative impact.

This makes no sense as NEW is mostly about checking licenses.

Part of the problem with any discussion of NEW is that the answer to
"is NEW for A, or for B?" is usually "yes".

For new source packages, my understanding is that NEW is for:

* checking for acceptable licenses / absence of unacceptable licenses
- not breaking other people's rules, e.g. infringing copyright by
distributing without permission to do so
- not breaking our own self-imposed rules, e.g. not allowing non-free
software into main/contrib
* checking debian/copyright completeness
- all licenses mentioned
- all license text copied, unless present in common-licenses
- all entities claiming copyright mentioned (historically for all licenses,
now only for licenses that can be interpreted as requiring it)
* package namespace control
- not accepting obscure/niche packages with very short/generic names
- not accepting packages with misleading names
- enforcing naming conventions like `import foobar` -> `python3-foobar`,
`use Foo::Bar` -> `libfoo-bar-perl`, `libfoobar-1.so.2` -> `libfoobar-1-2`
and https://github.com/go-debos/fakemachine ->
`golang-github-go-debos-fakemachine`
- not having excessively big bundled packages
- not having excessively small micro-packages
* any other QA checks that the ftp team feel like doing
- embedded code copies
- obviously wrong packaging like a shared library in /usr/share
- ??? (I don't know what else the ftp team actually look for in practice)

The justification for NEW packages being unavailable to people outside
the ftp team is that we don't want to be distributing them until they
have had some sort of checking for redistributability (the first of my
points above), because if we don't have permission to redistribute, then
that's copyright infringement. I think a lot of the other inconvenient
things about NEW are consequences of that.

However, most of the other reasons for these checks are essentially self-imposed - for example there's no legal reason *preventing* us
from distributing nvidia-graphics-drivers in main, but we don't *want*
to do that, because it would break our self-imposed rules and undermine
our intended mission (making an entirely Free OS). Similarly, there's no
legal reason preventing us from redistributing obviously wrong packages,
but we want to make a high-quality operating system, so we want to
exclude those packages if we can.

I think it's perhaps useful to make sure we distinguish between rules
that we have because external factors force us to have those rules
(like needing to avoid copyright infringement), and rules that we have
chosen for ourselves (like main being self-contained and Free Software).
Rules that we have chosen are something that we as a project can change,
if we can reach consensus that we want to, and the impact of breaking
them is whatever we as a project think it is. However, rules that come
from external factors are mostly not something that we can change: in particular, needing to have permission to redistribute is something that
is imposed on us by the legal system rather than something that we have
chosen, and it is not within our power to change it. The only thing about
those rules that could potentially be changed by project consensus would
be the level of legal risk we are willing to take, in exchange for the
benefit of being able to do things that benefit the project and our users.

The existence of binary-NEW (for existing source packages that have
added a new binary package) seems like partly namespace control, and
partly an accident of implementation: packages go into these queues
because their names do not appear in the overrides file that lists
packages that were already accepted, and that is equally true for new
binary packages in an existing source package. My understanding is that
the ftp team have a policy of taking the opportunity to do all the same
legal and QA checks they would do for new source packages, not just the
package namespace control part, on the basis that in principle every
package in the archive should be able to pass those checks at any time
(and it would be a RC bug if it didn't).

Of course, in practice typical uploads that do not introduce a new binary package name do not get held in a queue for manual review (because that
would slow down development to a point where we could not make a practical
OS distribution), so this leads to maintainers making packaging decisions
that are not necessarily "right" in the abstract, such as not splitting packages that ideally should have been split, because if they do the
"right" thing their package won't get into unstable until an arbitrary
time has passed (and might get rejected entirely if they have not copied
all the applicable licenses into the right place), whereas if they do the "wrong" thing it will be available immediately. The incentives are not necessarily particularly well-aligned with what we want happening.

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 2021-11-18 at 19:32 +0100, Philip Hands wrote:

There is also the issue of cryptographic software, and the laws
regarding its export from the USA, which Debian deals with by treating
every package as though it _might_ at some point incorporate some
crypto, and therefore registering every package with BXA as part of the
NEW process.

IIRC this no longer occurs as the BXA requested we stop notifying them.

--
bye,
pabs

https://wiki.debian.org/PaulWise

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmGXLnAACgkQMRa6Xp/6 aaPPJBAAtGGJdZZ3Umgzp8d/IVy68kWfrOPIKl0nsJxi7u9xx42zVnVOzu03zka3 GSOVl1xS6FCz8hQrHW3B4CGaXLywynzvKdJjkbZHdaLmhTwytiuNiVH23Qy4dkhH 0/uGp3oFbZPn06mHg2K+5pqenO3mIFkmt69+wfucwM4n2m6iv4rBNKbbaSUXYNBN o2A0K5Kcwz2dZhUpD0H85j71YNQrR3PA4IMQMZTccozNJolVBnJHuykWXsm0uk0J WpwpEcRBBAXL6N4zxVRA/qqJN09Hwy3XpWkCHaLeZhgpYOL63E/VProGlXiK76Fh iT9nX1ETvH+gH/RXn3gCAbc8LAby4J2/+P5r6GCutLtmHfYW+sL+k9RO2r6sXcEX YPpDOxBjx+YAnf4vZA8wnrvU1IGiuOIWpVe8jlVdxtjpTqDLyTkWsE3aPLERRASN DpqAwMKFZy2J5/7x28IxCyHq85e9IABLiYr+jcwpWfenyAOOsgF5sSMbOVA4f5pp L2emt6Fjjt0+nA8a29IwqMAsfPNf9wdpkkxYlFBfH5S8Kgd+30REqjrR3GG8ZOiG s5BtaeSGGRCbRtCGMsTZDNEYnpf7trfzFtLixMBIJqxpRykumCZussCBvOBRRp8n DhKKYOrOhvaTZz4hxo4Vq7qWuHqxwALOqCXxLbSCpjh9KZWMPX8=
=yttj
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Simon Richter <sjr@debian.org> writes:

Hi,

On 11/18/21 4:08 PM, Stephan Lachnit wrote:

I guess this raises the (maybe already answered) question if the
additional license QA from NEW is for the end-product (i.e. Debian
stable) or for the servers that run the Debian infrastructure, which
of course includes experimental.

The latter.

The license must allow Debian to redistribute the package. This is
checked very thoroughly on the initial upload, and updates are
expected to keep the same licensing. Whether that expectation still
holds with upstreams who prefer vendor copies over using external
packages is another matter, but in general these packages require more handholding anyway.

I struggle to see how this assumption is reasonable at all, even keeping vendoring upstreams out of the picture. It is hardly uncommon for
non-giant projects to re-license themselves one or more times after the
initial Debian package has cleared the NEW queue. The larger our
archive, and the more time passes, the more packages we can expect to be shipping whose d/copyright's relationship with reality was never checked
by the FTP Masters.


-- Gard


--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEz8XvhRCFHnNVtV6AnRFYKv1UjPoFAmGXca0SHGdzcHJAbm9u ZW1wdHkub3JnAAoJEJ0RWCr9VIz6zC0QAJvcpI69DQZo21Q6f+QmvtILcKF74OIO eh+5stdRxSEkXItyAMciKsEdD+ayPKDvFyuopWOi28rl2Juiww5I056Y8l4/whYX bipkB3oRRX0t5CgvYR+1SwBTFQ1Wv6Vh74sAl0WkZxTaWPzSFHETesoVj+tLXmJH Tx+t1Lnfb4KzvWu60p5p9mrOWSoDfP07Eg87tdtLUzt0NwzOjZLxtkjEQD3LTzWB I1tPLiY0vcfLIQMqvjzavvDqlOtod32J8goIPoQzjRbh0s1Af7qzCp4v82AEDeoz cHqupYoLyyYWX3JAPODmvqqiHtny0r0+C+5Tv0iWlA70j1r2lCxE2bGl39YZ80IR nMRAXHnRnWgdQPXwbxHa1TTQhWlfA3C6fKc/rpLJnvUAHTRoohjbwMKJLQzS0cOw Ifq9MaHT9RGKgmLcgeGaFKt3DoyAXeMcDcis4AYxNQE03/nyrVLmbw9Apg2WihVb jqtPm0MyNOBmMefEddFOrbHy/R/7ZWqIzTyGUZjpD+XSIIaQlx00EuVj+2zTvFXi j4MZrA+8sLXCvAcrquy8gUkhHdStLGYtjsRRTOwSQlHKQDIv/GYVO0vlYPcOz/kL YtQZUp2bXhaFfMjXHl9mtlitnEHYemVfdU5H9OCL//uYeu3/+2AYpUdOv9dCYJOP
bxb10SQw2WI1
=jzvo
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrey Rahmatullin <wrar@debian.org> writes:

On Thu, Nov 18, 2021 at 04:08:23PM +0100, Stephan Lachnit wrote:

I don't know if that has been proposed before, but how about waiving
the NEW queue requirement for experimental packages as a start?
[...] Since packages in experimental will never land in any
official release, I think dropping the NEW queue requirement has no
negative impact.

This makes no sense as NEW is mostly about checking licenses.

I think this is exactly why it makes sense. I think we can trust the
DDs to not make any large mistakes (e.g. putting steam in main).

The existence of NEW means we currently don't, for completely new
packages.

Since packages in experimental aren't supposed to be used by anyone else
but the DDs themselves, the "damage" of a potentially missing / wrong
license is minimal, considering that DDs are aware of the fact that the
packages aren't "official".

The "damage" that's usually being discussed is Debian distributing
something we can't, not users e.g. getting non-free software thinking it's free. Packages in NEW aren't even publicly accessible because of this,
and discussions of switching to git-based source packages end with "we
can't publish git history of random repos as we don't want to review
and rewrite it".

However I find that view a bit weird. Any update can change the license
or add new files with different licenses, nothing is ever checked by the
ftp-masters (that would be insanity).

Sure.

And in light of the above, assume:

- Source package foo with a single binary package foo, entered Debian
under thorough FTP Masters checking 20 years ago, has had a very
active upstream and rapid development (including numerous rewrites
and language changes) since then, but always just that single binary
package.

- Source package bar that ships a binary libbarN, entered Debian under
thorough FTP Masters checking a few weeks ago after NEW queueing for
months. Slowly developing upstream with few, very limited and
organized, changes over time. Needs a SONAME bump. Or needs to add a
new bar-utils binary, or something.

If the goal is to maximize our users' confidence that foo and bar can be assumed DFSG-compliant, then it does not to me seem like the best use of
our (FTP Masters') limited resources to subject bar to another thorough
review (perhaps having it spend another 4 months in NEW?), while
trusting the maintainer of foo with no further scrutiny.

I'd go as far as to say that if we could not trust the maintainer of foo
the way we do, we could not reasonably make Debian work. And if we can
trust the maintainer of foo with a task where it's arguably easier to
make a mistake than it is for the maintainer of bar, and we cannot trust
the maintainer of bar in that safer case, then we are quite
inconsistent. I would argue that this inconsitency is problematic, both
because it leads to a misapplication of resources, because it may well
convey a false sense of safety onto our users, and because it may be detrimental to attracting new volunteers.


-- Gard

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEz8XvhRCFHnNVtV6AnRFYKv1UjPoFAmGXdd0SHGdzcHJAbm9u ZW1wdHkub3JnAAoJEJ0RWCr9VIz6uvsQAMe2HIbo0IYo7dVr4DSIWnxlrIVPx6G+ gZwImRaoRoie5o1d45qn34Z8ca2xa1Tyn/pMmGb5U6FSpFHjRwR+dNq9Km803wJf lMt3H2O5x1RpDY3loZGQtKkCar8uQlsTwL0I7FXrBWkc9yDKVOt3P5sOU5xOdcX/ 1eQNkGuq26rDFMtVpWu17fYBxc/l5rXjJXUTl9RxuZisuov/e61iOcfnnAlhGrWp 9F9KBZQtlHwVF1GIrfCPqfGwNmH8aCY44CIXstUlxqyt3Yh0KS2+rWbwGenSNKLL lQrWQJJFevOwEh45VejCMjvYeSPztyvOesTtzqmePlxyE66iJ4fc2wWGs34r367s udmm5RrG+B3LxRjVN1v/TV8R9o/y1npgXzbdtVVQiAgqdCIxUdGVsGhiCQ6EbH+W 0nEeHYV+dg1GcqJ31LBnkdc4Kc2/aH6Uqq1m0nYsN3GqAaWtf71pgs5hlUM8eA6/ NstWzdw9CMdov2r3ZO9311o+cWofaqQKoBawPl9Y6U7n39rZwDosQdF081Tn1z3x 9rsDMzEG4sjgHgPiBJyS2LXwF+MqQjhC9xeXoNb5RSYPHbbmDYsi3DSo3hWURTn9 2eLLM597Pate+mus9yVrEJ7/N83CYnnmmhnq9oSXNQiaxfflBa+JuendD8t+i7jS
QGnDR94Se6Pi
=zOyf
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)