Debian's "global" package visits the Technical Committee

Debian package maintainers have famously wide latitude in making technical decisions about their packages. There are few checks on that power, though the distribution's Technical Committee (TC) has some rarely used abilities to rein in maintainers who are not acting in the best interests of Debian and its users. A recent request that the TC help resolve a dispute with the maintainer of the package for the GNU GLOBAL source-code tagging system shows just how knotty solving that kind of problem can be.

The Debian "global" package is based on version 5.7.1 of GLOBAL, which was released in 2008 and is seriously obsolete according to the upstream project. Back in 2010, a bug was filed that asked package maintainer Ron Lee to update to the then-current 5.9.2 release. Over the next several years, others piled on, asking that the Debian package be updated, with no response from Lee. But, when GLOBAL developer Shigio Yamaguchi orphaned the package in 2013, Lee did respond; he pointed out that Debian was then frozen for the "Wheezy" (Debian 7) release, but also noted that there is a fundamental problem with part of the newer versions of GLOBAL:

Lee had patched around that problem (with the "htags" feature) in the versions of the package he released from 1999 to 2009; he also suggested a fix to the upstream project that was apparently rejected by Yamaguchi. The htags feature provides a way to browse the source code and tags using CGI scripts that are generated from the source. Those must be installed in system-wide location, which requires root privileges.

In response to Lee, Yamaguchi noted that any bug reports or feature requests for GLOBAL should be posted to the bug-global mailing list. Lee argued that nothing had changed since it had been discussed earlier (evidently in private email), however. Over the next year or so, there were some others asking about updating the Debian global package in the bug, once again without any response.

In March 2014, though, a different tack was tried. Punit Agrawal posted about some progress he had made in creating an updated global package. He had not encountered the problem with the htags feature, since he doesn't use it. That feature is believed to be little-used, though there is no real data on exactly how little-used it is.

What is clear is that Lee is frustrated with how GLOBAL is developed and the choices the project has made in how it gets installed, while some of the users of GLOBAL are frustrated with the way-old version of it that is packaged for Debian. Lee described the problems he sees in response to Agrawal's efforts to package the newer version:

The obvious solution (to some, at least) is to simply patch out the htags piece, but Lee was opposed to that option as well: "Saying 'I don't need this, so I'm just going to remove it for everyone else to rush out the bits that _I_ want' is not an acceptable solution." The security issue that Lee is raising is serious, but tangential to the main use of the tool, at least for those posting in the bug. Yamaguchi's suggestion to create a "global6" package that removed the CGI piece was also shot down by Lee. Instead, he argued, any bugs in the existing global package should be identified and fixed.

That's where things stood until Wei Liu filed another bug in March 2016 asking that the global package be updated to 6.5.2. Several others agreed that an update would be useful, but Lee did not reply. By October, though, Vincent Bernat, who also participated in the first bug report, was seemingly fed up; he suggested that if another maintainer could be found, this problem could be taken to the TC for resolution. Agrawal said that he was willing to take the global package over and would prefer that Lee be given the chance to reconsider, rather than simply routing around him by creating a global6 package.

Enter the TC

To that end, Bernat filed the TC bug on October 19. In it, he asked that the TC either find a way to convince Lee to update the package or overrule his decision not to do so; if being overruled is not acceptable to Lee, he asked that the maintainership be handed off to Agrawal. Wookey agreed that the problem appears to be intractable at this point:

As might be guessed, Lee sees things rather differently. In his lengthy reply (one of several long responses to the TC bug), it is clear that he believes the fault lies with the upstream GLOBAL project being unwilling to change or drop the htags feature so that it can be installed sanely on Debian. In fact, he said, the project has changed the interfaces that he and Yamaguchi worked out in 1999 such that his changes to GLOBAL to package it for Debian no longer work. Thus, he is between a rock and a hard place:

He and Bernat went back and forth a bit, but it is clear that no one is changing any minds and progress is not being made. Many of the participants obviously have their heels dug in—Yamaguchi on htags staying in the upstream version, Lee on the insecurity of the htags, Bernat and others on the global version currently packaged. Removing htags from the Debian package would seem an option, but Lee is leery of doing that without getting more information on who is actually using the feature; he is worried that any htags users will be unhappy with a new version without that feature:

TC member Tollef Fog Heen tried to find some middle ground. He agreed with Lee that making uninformed decisions is not sensible, but wondered if this had all been going on too long:

It turns out that Lee may be coming around to that conclusion as well. The changes made to GLOBAL in the interim have made it even less palatable to ship the htags piece and he had suggested several times that Doxygen could easily replace htags for those that do actually need to browse the source code and tags from the web. He also noted that patching the existing version of the Debian global package to fix the problems that people are running into might be possible as well.

It isn't exactly clear which path Lee will take, but he seems to be backing down, at least a bit, on the requirement to keep the htags piece in the Debian package. But, what is clear is that it took an escalation to the TC to even get Lee to engage about the problem; progress may be made soon, but it seems somewhat counterproductive to force an escalation to make that happen. As Wookey put it:

Certainly, blocking any updates for nearly a decade over a dispute about how a certain feature should work—even because of security concerns—is not helping anyone. If Lee lost confidence in the upstream project, as it appears he has, then allowing someone else to take over the maintainership would seem the right course. Protecting existing users from having their workflow interrupted by removal of an ancillary feature is to be lauded at some level, but keeping up with the "new shiny" is part of the maintainer's responsibility as well. It can be a difficult balance to strike.

No formal resolution of the TC bug has occurred; the members may be hoping to see the problem resolved without actually having to take that step. When pressed, Lee can seemingly muster up strong and voluminous arguments for his course of action, but it is a bit hard for outsiders to see things his way. While he may be skeptical that the "new shiny" adds any real value, many users of the package have effectively routed around him to simply take the upstream version because the ancient Debian version does not work for them. That is an unfortunate outcome—and one to be avoided if possible.