Dear Debian:

May was mi first full month of DPL. It was busy, but I think I've found
a rhythms that allows me to balance my DPL responsibilities against my job
and the rest of my life. I'd like to thank Chris Lamb for pointing out
the importance of paying attention to that balance early. I think I'll
be a happier DPL for that advice.

While no date has been announced yet, excitement is certainly building
for the Buster release. According to recent mail on debian-release, the
large issue standing in the way of picking a release date is how to
handle security for Go packages. Go packages are typically statically
linked, so when a a Go library receives a security update, all dependent packages need to be rebuilt. This requires tracking what needs to be
rebuilt. There are also some infrastructure challenges around
performing the necessary NMUs.

It looks like progress is being made. So I think excitement is
certainly in order. How do you plan to celebrate the Buster release?

Electrum
========

I was reading Reddit [1] and came across a thread discussing how the
electrum package in sid led to a situation where an attacker gained your bitcoin credentials and all your money.

“That’s kind of broken even for unstable, someone should fix that,” I thought. Then I realized that I was the project leader and this was my problem. No, perhaps not the bug itself, but when our processes fail
it’s the DPL’s job to go track down what’s going on.

The bug [2] was reported, and even marked release-critical. It was
severity serious not critical, and not tagged security. The maintainer
was having trouble dealing with some of the new dependencies of the
upstream version that fixed the bug. It was going to be a while before
we got a fix into Debian, but the current situation was an active danger
to our users.

It is not often that you get to NMU a package with no delay introducing
a crash (and explanatory error) at startup without getting any
complaints. Removing the package would have left the code that was
actively being exploited on people’s computers.

For me it was a real awakening to being DPL and what that sometimes means.


[1]:
https://www.reddit.com/r/debian/comments/bj3ild/just_a_warning_about_the_electrum_bitcoin_wallet/
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921688


Dh as a Preferred Packaging Style
=================================

As promised, I started a discussion [3] on whether we wanted to prefer
(and in some cases require) the dh sequencer from Debhelper as a package building tool.

We had a great discussion. I published my understanding of our project consensus. We are seeking final comments until June 16. At this point,
to contribute meaningfully, you probably do need to read a significant
portion of the existing discussion along with the consensus call.

After June 16 I’ll send a revised consensus summary to
debian-devel-announce. Once we have captured the consensus, I will talk
to people like the policy team to move forward.

While the main discussion was going on, I had some smaller discussions.
I was initially planning to ask the TC to come up with an initial draft
of policy changes based on the debian-devel discussion. I thought that
a smaller group like the TC might give us some initial input for the
broader debian-policy process to refine. I got some negative input on
that approach that I think is worth digging into in more detail
independent of the dh discussion.

However that also sparked a great discussion with the policy editors
about how they might approach something like dh in their process.
Based on that discussion, I think they have the energy and skill to move forward and I look forward to seeing how that part of the process runs.


[3]:
https://lists.debian.org/msgid-search/tsla7fqjzyv.fsf@suchdamage.org

Git on Salsa
============

The next discussion I will drive is a discussion of whether we want to
strongly recommend Debian packaging be done using Git on
salsa.debian.org.

I do not expect us to be able to come to as clear of a consensus as I
think we have done on the dh discussion. There are a lot more factors
to consider and a lot less uniformity in the project. I plan to run the discussion in a similar manner though. I’ll start out with a message
that frames things and asks some key questions. During the discussion I
will summarize where we seem to be going and flag areas where more input
would help judge consensus.

Ian Jackson [4] started a survey of Git packaging practices. He is
working to collect all the different approaches we have for using Git as
part of writing a FAQ about dgit. I think that his survey will help us
in the Salsa discussion too. If you use Git in your packaging, please
take a look at his work and make sure the work flow you use is
represented.


There was another discussion that will be great background for thinking
about Git [5]. The discussion started when Gard Spreemann asked about preferred branch structures. However we had a great discussion of some
of the tradeoffs involved in Git workflows, dgit and related tools. I
know I learned a lot.

[4]:
https://lists.debian.org/msgid-search/23789.22766.778482.983490@chiark.greenend.org.uk
[5]: https://lists.debian.org/msgid-search/878svtcgp3.fsf@moose

Antiharassment Account Manager and DPL Meeting ==============================================


The account managers, antiharassment team and DPL have been trying to
meet for a number of months. We finally picked a date and will be
meeting in late June to discuss how we can all work together to keep
Debian a safe and welcoming community.

Financial Activity
==================

* Approved budget for Debian Perl Sprint [6]
* Approved budget for Debian Edu sprint [7]
* Approved budget for Mini DebConf 2019 Hamburg [8]
* Talked to Debconf about their budget; a budget amendment came in at
the end of the month but has not been reviewed yet
* Approved DSA expenses for support for our storage array

I also worked with the treasury team to develop some criteria that I use
to evaluate requests to fund attending conferences. If you are logged
into salsa, you can read the repository [9].

[6]: https://wiki.debian.org/Sprints/2019/DebianPerlSprint
[7]: https://wiki.debian.org/Sprints/2019/DebianEdu
[8]: https://wiki.debian.org/DebianEvents/de/2019/MiniDebConfHamburg
[9]: https://salsa.debian.org/treasurer-team/documentation


In Case You Missed It
=====================

* Mo Zhou proposed a policy on deep learning [10]. There are some
significant questions that come up when we talk about whether a machine
learning model is free software. This policy attempts to explore these
questions. I hope ftpmaster will think about these issues when
evaluating machine learning models in Debian.
* Mini DebConf Hamburg June 5-9 [8]
* Mini-DebConf Vaumarcus October 25-27[11]

As a reminder, Debian can reimburse up to $100 US (or equivalent) for
developers attending a bug squashing party (BSP).
* Debian welcomes our GSOC and Outreachy interns [12]

[10]: https://salsa.debian.org/lumin/deeplearning-policy
[11]: https://wiki.debian.org/DebianEvents/ch/2019/Vaumarcus
[12]:
https://bits.debian.org/2019/05/welcome-gsoc2019-and-outreachy-interns.html

Feedback Requested
==================

As always, your feedback is welcome on thes points or any aspect of the
DPL's work. Similarly, if you would like to ask the DPL for help, you
can write to leader@debian.org.


--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE9Li3nMNy++OFgPTCQe7SUh/WssoFAlz0DJAACgkQQe7SUh/W ssqpGAf+KyPJnBJ9J33AEPlGYWnksGfZT6Jxoagc4O4BdmM+SZa7I6oeRze95PNE m4vYBLFBDKchZ4bDg1bSaLy8B2nhMVe8X0U4cBsyEnuttCac28x9N4eZPK926++4 ff8clOFm5Yu5Z7/y0znVagDnwSEV320uH8Wyk3W9kvoezyT2fT5b3PS+h1swt4Wi AnNv6ar/P5t7m1hgDmFMpxLAlsRYmalPppH2LnmDfz+EQUqgyLI3KVnAf+aXKEiW bcIWeZ5SZgzcemVpD6etvapfa8E+eRFaIxRP/+A23qOAHRIM910DkIzUjsBPJM66 mkE+ez8HdDif/tsyxT8xQAwRnWnGQg==pfod
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)